CVE-2024-41665

Ampache, a web based audio/video streaming application and file manager, has a stored cross-site scripting (XSS) vulnerability in versions prior to 6.6.0. This vulnerability exists in the "Playlists - Democratic - Configure Democratic Playlist" feature. An attacker with Content Manager permissions can set the Name field to `<svg onload=alert(8)>`. When any administrator or user accesses the Democratic functionality, they will be affected by this stored XSS vulnerability. The attacker can exploit this vulnerability to obtain the cookies of any user or administrator who accesses the `democratic.php` file. Version 6.6.0 contains a patch for the issue.
Configurations

No configuration.

History

21 Nov 2024, 09:32

Type Values Removed Values Added
References () https://github.com/ampache/ampache/security/advisories/GHSA-cp44-89r2-fxph - () https://github.com/ampache/ampache/security/advisories/GHSA-cp44-89r2-fxph -

24 Jul 2024, 12:55

Type Values Removed Values Added
Summary
  • (es) Ampache, una aplicación de transmisión de audio/vídeo y administrador de archivos basada en web, tiene una vulnerabilidad de Cross Site Scripting (XSS) almacenadas en versiones anteriores a la 6.6.0. Esta vulnerabilidad existe en la función "Playlists - Democratic - Configure Democratic Playlist". Un atacante con permisos de Administrador de contenido puede establecer el campo Name en ``. Cuando cualquier administrador o usuario acceda a la funcionalidad Democratic, se verá afectado por esta vulnerabilidad de XSS almacenado. El atacante puede aprovechar esta vulnerabilidad para obtener las cookies de cualquier usuario o administrador que acceda al archivo `democratic.php`. La versión 6.6.0 contiene un parche para el problema.

23 Jul 2024, 18:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-07-23 18:15

Updated : 2024-11-21 09:32


NVD link : CVE-2024-41665

Mitre link : CVE-2024-41665

CVE.ORG link : CVE-2024-41665


JSON object : View

Products Affected

No product.

CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')