Vulnerability Description
Ampache, a web based audio/video streaming application and file manager, has a stored cross-site scripting (XSS) vulnerability in versions prior to 6.6.0. This vulnerability exists in the "Playlists - Democratic - Configure Democratic Playlist" feature. An attacker with Content Manager permissions can set the Name field to `<svg onload=alert(8)>`. When any administrator or user accesses the Democratic functionality, they will be affected by this stored XSS vulnerability. The attacker can exploit this vulnerability to obtain the cookies of any user or administrator who accesses the `democratic.php` file. Version 6.6.0 contains a patch for the issue.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ampache | Ampache | < 6.6.0 |
Related Weaknesses (CWE)
References
- https://github.com/ampache/ampache/security/advisories/GHSA-cp44-89r2-fxphExploitVendor Advisory
- https://github.com/ampache/ampache/security/advisories/GHSA-cp44-89r2-fxphExploitVendor Advisory
FAQ
What is CVE-2024-41665?
CVE-2024-41665 is a vulnerability with a CVSS score of 5.5 (MEDIUM). Ampache, a web based audio/video streaming application and file manager, has a stored cross-site scripting (XSS) vulnerability in versions prior to 6.6.0. This vulnerability exists in the "Playlists -...
How severe is CVE-2024-41665?
CVE-2024-41665 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-41665?
Check the references section above for vendor advisories and patch information. Affected products include: Ampache Ampache.