Whats the story behind the urgent security patch that had to be applied to PMS and why couldn’t we access Wikipedia information of actors and actresses for a short time while browsing our library via an internet browser?
Answer:
We received a responsible disclosure of a vulnerability through our bug bounty program, fixed the vulnerability, and released a patch as urgently as possible. This is our intended process for handling reported issues like this.
We also did our own investigation into various data to see if we could find any evidence that the vulnerability was being exploited (we could not). Going into a bunch of technical detail right away would only serve to put people who hadn’t yet updated at unnecessary risk, so we focused on getting people to upgrade to an updated version.
The vulnerability allowed people that you’re sharing your server with to use an API endpoint to discover your authentication token. We’ve since addressed this remotely by disabling sharing on vulnerable server versions, so this can no longer be exploited regardless of server version. We’re appreciative of all the people who use our bug bounty program and responsible disclosure to make Plex as safe as possible.
Also - the second part of the question around not being able to access actor and actress information was not related to the security patch in any way and was most likely an internet/networking issue where that data could not be fetched successfully for a period of time
