Lucene search

GitHub_MCVELIST:CVE-2024-28852

HistoryMar 27, 2024 - 1:18 p.m.

CVE-2024-28852 Ampache has multiple reflective XSS vulnerabilities

2024-03-2713:18:10

CWE-79

GitHub_M

www.cve.org

ampache

reflective xss

web application

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

Percentile

9.0%

JSON

Ampache is a web based audio/video streaming application and file manager. Ampache has multiple reflective XSS vulnerabilities,this means that all forms in the Ampache that use rule as a variable are not secure. For example, when querying a song, when querying a podcast, we need to use $rule variable. This vulnerability is fixed in 6.3.1

CNA Affected

[
  {
    "vendor": "ampache",
    "product": "ampache",
    "versions": [
      {
        "version": "< 6.3.1",
        "status": "affected"
      }
    ]
  }
]

References

github.com/ampache/ampache/blob/bcaa9a4624acf8c8cc4c135be77b846731fb1ba2/src/Repository/Model/Search.php#L1732-L1740

github.com/ampache/ampache/security/advisories/GHSA-g7hx-hm68-f639

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

Percentile

9.0%

JSON

Related for CVELIST:CVE-2024-28852