Lucene search

[email protected]CVE-2024-28852

HistoryMar 27, 2024 - 2:15 p.m.

CVE-2024-28852

2024-03-2714:15:10

CWE-79

[email protected]

web.nvd.nist.gov

ampache

reflective xss

web application

audio streaming

video streaming

file manager

vulnerability

patch

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

5.9 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

8.9%

JSON

Ampache is a web based audio/video streaming application and file manager. Ampache has multiple reflective XSS vulnerabilities,this means that all forms in the Ampache that use rule as a variable are not secure. For example, when querying a song, when querying a podcast, we need to use $rule variable. This vulnerability is fixed in 6.3.1

Affected configurations

Vulners

Node

ampacheampacheRange<6.3.1

VendorProductVersionCPE
ampacheampache*cpe:2.3:a:ampache:ampache:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ampache	ampache	*	cpe:2.3:a:ampache:ampache::::::::

CNA Affected

[
  {
    "vendor": "ampache",
    "product": "ampache",
    "versions": [
      {
        "version": "< 6.3.1",
        "status": "affected"
      }
    ]
  }
]

References

github.com/ampache/ampache/blob/bcaa9a4624acf8c8cc4c135be77b846731fb1ba2/src/Repository/Model/Search.php#L1732-L1740

github.com/ampache/ampache/security/advisories/GHSA-g7hx-hm68-f639

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

5.9 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

8.9%

JSON

Related for CVE-2024-28852

ubuntucve1 cvelist1 cnvd1 nvd1