cve-2024-41665
Vulnerability from cvelistv5
Published
2024-07-23 17:14
Modified
2024-08-02 04:46
Severity ?
EPSS score ?
Summary
Ampache Stored Cross-site Scripting Vulnerability
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:ampache:ampache:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ampache",
"vendor": "ampache",
"versions": [
{
"lessThan": "6.6.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41665",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-23T20:06:51.489479Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-23T20:07:21.477Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:46:52.459Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/ampache/ampache/security/advisories/GHSA-cp44-89r2-fxph",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ampache/ampache/security/advisories/GHSA-cp44-89r2-fxph"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ampache",
"vendor": "ampache",
"versions": [
{
"status": "affected",
"version": "\u003c 6.6.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Ampache, a web based audio/video streaming application and file manager, has a stored cross-site scripting (XSS) vulnerability in versions prior to 6.6.0. This vulnerability exists in the \"Playlists - Democratic - Configure Democratic Playlist\" feature. An attacker with Content Manager permissions can set the Name field to `\u003csvg onload=alert(8)\u003e`. When any administrator or user accesses the Democratic functionality, they will be affected by this stored XSS vulnerability. The attacker can exploit this vulnerability to obtain the cookies of any user or administrator who accesses the `democratic.php` file. Version 6.6.0 contains a patch for the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-23T17:14:56.459Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ampache/ampache/security/advisories/GHSA-cp44-89r2-fxph",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ampache/ampache/security/advisories/GHSA-cp44-89r2-fxph"
}
],
"source": {
"advisory": "GHSA-cp44-89r2-fxph",
"discovery": "UNKNOWN"
},
"title": "Ampache Stored Cross-site Scripting Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-41665",
"datePublished": "2024-07-23T17:14:56.459Z",
"dateReserved": "2024-07-18T15:21:47.484Z",
"dateUpdated": "2024-08-02T04:46:52.459Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2024-41665\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-07-23T18:15:06.790\",\"lastModified\":\"2024-07-24T12:55:13.223\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Ampache, a web based audio/video streaming application and file manager, has a stored cross-site scripting (XSS) vulnerability in versions prior to 6.6.0. This vulnerability exists in the \\\"Playlists - Democratic - Configure Democratic Playlist\\\" feature. An attacker with Content Manager permissions can set the Name field to `\u003csvg onload=alert(8)\u003e`. When any administrator or user accesses the Democratic functionality, they will be affected by this stored XSS vulnerability. The attacker can exploit this vulnerability to obtain the cookies of any user or administrator who accesses the `democratic.php` file. Version 6.6.0 contains a patch for the issue.\"},{\"lang\":\"es\",\"value\":\" Ampache, una aplicaci\u00f3n de transmisi\u00f3n de audio/v\u00eddeo y administrador de archivos basada en web, tiene una vulnerabilidad de Cross Site Scripting (XSS) almacenadas en versiones anteriores a la 6.6.0. Esta vulnerabilidad existe en la funci\u00f3n \\\"Playlists - Democratic - Configure Democratic Playlist\\\". Un atacante con permisos de Administrador de contenido puede establecer el campo Name en ``. Cuando cualquier administrador o usuario acceda a la funcionalidad Democratic, se ver\u00e1 afectado por esta vulnerabilidad de XSS almacenado. El atacante puede aprovechar esta vulnerabilidad para obtener las cookies de cualquier usuario o administrador que acceda al archivo `democratic.php`. La versi\u00f3n 6.6.0 contiene un parche para el problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":2.1,\"impactScore\":3.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"references\":[{\"url\":\"https://github.com/ampache/ampache/security/advisories/GHSA-cp44-89r2-fxph\",\"source\":\"security-advisories@github.com\"}]}}"
}
}
Loading...
Loading...
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.