{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-41665", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-07-18T15:21:47.484Z", "datePublished": "2024-07-23T17:14:56.459Z", "dateUpdated": "2024-08-02T04:46:52.459Z"}, "containers": {"cna": {"title": "Ampache Stored Cross-site Scripting Vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/ampache/ampache/security/advisories/GHSA-cp44-89r2-fxph", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ampache/ampache/security/advisories/GHSA-cp44-89r2-fxph"}], "affected": [{"vendor": "ampache", "product": "ampache", "versions": [{"version": "< 6.6.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-07-23T17:14:56.459Z"}, "descriptions": [{"lang": "en", "value": "Ampache, a web based audio/video streaming application and file manager, has a stored cross-site scripting (XSS) vulnerability in versions prior to 6.6.0. This vulnerability exists in the \"Playlists - Democratic - Configure Democratic Playlist\" feature. An attacker with Content Manager permissions can set the Name field to `<svg onload=alert(8)>`. When any administrator or user accesses the Democratic functionality, they will be affected by this stored XSS vulnerability. The attacker can exploit this vulnerability to obtain the cookies of any user or administrator who accesses the `democratic.php` file. Version 6.6.0 contains a patch for the issue."}], "source": {"advisory": "GHSA-cp44-89r2-fxph", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "ampache", "product": "ampache", "cpes": ["cpe:2.3:a:ampache:ampache:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "6.6.0", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-23T20:06:51.489479Z", "id": "CVE-2024-41665", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-23T20:07:21.477Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:46:52.459Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/ampache/ampache/security/advisories/GHSA-cp44-89r2-fxph", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/ampache/ampache/security/advisories/GHSA-cp44-89r2-fxph"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/ampache/ampache/security/advisories/GHSA-cp44-89r2-fxph", "name": "https://github.com/ampache/ampache/security/advisories/GHSA-cp44-89r2-fxph", "tags": ["x_refsource_CONFIRM", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:46:52.459Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-41665", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-23T20:06:51.489479Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:ampache:ampache:*:*:*:*:*:*:*:*"], "vendor": "ampache", "product": "ampache", "versions": [{"status": "affected", "version": "0", "lessThan": "6.6.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-23T20:07:18.343Z"}}], "cna": {"title": "Ampache Stored Cross-site Scripting Vulnerability", "source": {"advisory": "GHSA-cp44-89r2-fxph", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "ampache", "product": "ampache", "versions": [{"status": "affected", "version": "< 6.6.0"}]}], "references": [{"url": "https://github.com/ampache/ampache/security/advisories/GHSA-cp44-89r2-fxph", "name": "https://github.com/ampache/ampache/security/advisories/GHSA-cp44-89r2-fxph", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Ampache, a web based audio/video streaming application and file manager, has a stored cross-site scripting (XSS) vulnerability in versions prior to 6.6.0. This vulnerability exists in the \"Playlists - Democratic - Configure Democratic Playlist\" feature. An attacker with Content Manager permissions can set the Name field to `<svg onload=alert(8)>`. When any administrator or user accesses the Democratic functionality, they will be affected by this stored XSS vulnerability. The attacker can exploit this vulnerability to obtain the cookies of any user or administrator who accesses the `democratic.php` file. Version 6.6.0 contains a patch for the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-07-23T17:14:56.459Z"}}}, "cveMetadata": {"cveId": "CVE-2024-41665", "state": "PUBLISHED", "dateUpdated": "2024-08-02T04:46:52.459Z", "dateReserved": "2024-07-18T15:21:47.484Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-07-23T17:14:56.459Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Ampache, a web based audio/video streaming application and file manager, has a stored cross-site scripting (XSS) vulnerability in versions prior to 6.6.0. This vulnerability exists in the \"Playlists - Democratic - Configure Democratic Playlist\" feature. An attacker with Content Manager permissions can set the Name field to `<svg onload=alert(8)>`. When any administrator or user accesses the Democratic functionality, they will be affected by this stored XSS vulnerability. The attacker can exploit this vulnerability to obtain the cookies of any user or administrator who accesses the `democratic.php` file. Version 6.6.0 contains a patch for the issue."}, {"lang": "es", "value": " Ampache, una aplicaci\u00f3n de transmisi\u00f3n de audio/v\u00eddeo y administrador de archivos basada en web, tiene una vulnerabilidad de Cross Site Scripting (XSS) almacenadas en versiones anteriores a la 6.6.0. Esta vulnerabilidad existe en la funci\u00f3n \"Playlists - Democratic - Configure Democratic Playlist\". Un atacante con permisos de Administrador de contenido puede establecer el campo Name en ``. Cuando cualquier administrador o usuario acceda a la funcionalidad Democratic, se ver\u00e1 afectado por esta vulnerabilidad de XSS almacenado. El atacante puede aprovechar esta vulnerabilidad para obtener las cookies de cualquier usuario o administrador que acceda al archivo `democratic.php`. La versi\u00f3n 6.6.0 contiene un parche para el problema."}], "id": "CVE-2024-41665", "lastModified": "2024-07-24T12:55:13.223", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 3.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-07-23T18:15:06.790", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/ampache/ampache/security/advisories/GHSA-cp44-89r2-fxph"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}