Headline
CVE-2021-25828: Reflected Cross-Site Scripting (XSS) (CVE-2021-25828) · Issue #3785 · MediaBrowser/Emby
Emby Server versions < 4.6.0.50 is vulnerable to Cross Site Scripting (XSS) vulnerability via a crafted GET request to /web.
Two years ago I reported an issue regarding a Cross-Site Scripting vulnerability in the *nux version of Emby Media Server:
I found a Reflected Cross-Site Scripting as well. Everything after /web/ is reflected. See the attachments for an example: [http://<ip>:8096/web/<script>alert(document.location)</script>](http://<ip>:8096/web/%3Cscript%3Ealert(document.location)%3C/script%3E)
EDIT: This issue only affects the *nux version of the app, the Windows version seems fine.
I tested this and I confirm that this issue has been resolved.
This vulnerability is known as CVE-2021-25828.