OpenCVE

Ampache is a web based audio/video streaming application and file manager. Prior to version 6.6.0, the Democratic Playlist Name is vulnerable to a stored cross-site scripting. Version 6.6.0 fixes this issue.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact partial

Vendors	Products
Ampache	Ampache

Configuration 1 [-]

cpe:2.3:a:ampache:ampache:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/ampache/ampache/blob/ff332c9810e493fd51b258f5e53119fad86c23bf/public/templates/show_democratic.inc.php#L36
https://github.com/ampache/ampache/commit/7e64d140dafcbe0d61f1a07e94486f6ed67932d6
https://github.com/ampache/ampache/security/advisories/GHSA-f99r-gv34-v46f

History

Fri, 27 Sep 2024 17:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Ampache Ampache ampache
CPEs		cpe:2.3:a:ampache:ampache::::::::
Vendors & Products		Ampache Ampache ampache
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 27 Sep 2024 14:15:00 +0000

Type	Values Removed	Values Added
Description		Ampache is a web based audio/video streaming application and file manager. Prior to version 6.6.0, the Democratic Playlist Name is vulnerable to a stored cross-site scripting. Version 6.6.0 fixes this issue.
Title		Ampache vulnerable to Stored XSS via Democratic Playlist Name
Weaknesses		CWE-79
References		https://github.com/ampache/ampache/blob/ff332c9810e493fd51b258f5e53119fad86c23bf/public/templates/show_democratic.inc.php#L36 https://github.com/ampache/ampache/commit/7e64d140dafcbe0d61f1a07e94486f6ed67932d6 https://github.com/ampache/ampache/security/advisories/GHSA-f99r-gv34-v46f
Metrics		cvssV3_1 `{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-09-27T14:05:01.794Z

Updated: 2024-09-27T16:20:59.445Z

Reserved: 2024-09-19T22:32:11.963Z

Link: CVE-2024-47184

Vulnrichment

Updated: 2024-09-27T15:01:47.157Z

NVD

Status : Analyzed

Published: 2024-09-27T14:15:04.833

Modified: 2024-10-04T18:19:26.240

Link: CVE-2024-47184

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-47184", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-09-19T22:32:11.963Z", "datePublished": "2024-09-27T14:05:01.794Z", "dateUpdated": "2024-09-27T16:20:59.445Z"}, "containers": {"cna": {"title": "Ampache vulnerable to Stored XSS via Democratic Playlist Name", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/ampache/ampache/security/advisories/GHSA-f99r-gv34-v46f", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ampache/ampache/security/advisories/GHSA-f99r-gv34-v46f"}, {"name": "https://github.com/ampache/ampache/commit/7e64d140dafcbe0d61f1a07e94486f6ed67932d6", "tags": ["x_refsource_MISC"], "url": "https://github.com/ampache/ampache/commit/7e64d140dafcbe0d61f1a07e94486f6ed67932d6"}, {"name": "https://github.com/ampache/ampache/blob/ff332c9810e493fd51b258f5e53119fad86c23bf/public/templates/show_democratic.inc.php#L36", "tags": ["x_refsource_MISC"], "url": "https://github.com/ampache/ampache/blob/ff332c9810e493fd51b258f5e53119fad86c23bf/public/templates/show_democratic.inc.php#L36"}], "affected": [{"vendor": "ampache", "product": "ampache", "versions": [{"version": "< 6.6.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-09-27T14:05:01.794Z"}, "descriptions": [{"lang": "en", "value": "Ampache is a web based audio/video streaming application and file manager. Prior to version 6.6.0, the Democratic Playlist Name is vulnerable to a stored cross-site scripting. Version 6.6.0 fixes this issue."}], "source": {"advisory": "GHSA-f99r-gv34-v46f", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "ampache", "product": "ampache", "cpes": ["cpe:2.3:a:ampache:ampache:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "6.6.0", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-27T15:01:07.163760Z", "id": "CVE-2024-47184", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-27T16:20:59.445Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-47184", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-27T15:01:07.163760Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:ampache:ampache:*:*:*:*:*:*:*:*"], "vendor": "ampache", "product": "ampache", "versions": [{"status": "affected", "version": "0", "lessThan": "6.6.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-27T15:01:47.157Z"}}], "cna": {"title": "Ampache vulnerable to Stored XSS via Democratic Playlist Name", "source": {"advisory": "GHSA-f99r-gv34-v46f", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "ampache", "product": "ampache", "versions": [{"status": "affected", "version": "< 6.6.0"}]}], "references": [{"url": "https://github.com/ampache/ampache/security/advisories/GHSA-f99r-gv34-v46f", "name": "https://github.com/ampache/ampache/security/advisories/GHSA-f99r-gv34-v46f", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/ampache/ampache/commit/7e64d140dafcbe0d61f1a07e94486f6ed67932d6", "name": "https://github.com/ampache/ampache/commit/7e64d140dafcbe0d61f1a07e94486f6ed67932d6", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/ampache/ampache/blob/ff332c9810e493fd51b258f5e53119fad86c23bf/public/templates/show_democratic.inc.php#L36", "name": "https://github.com/ampache/ampache/blob/ff332c9810e493fd51b258f5e53119fad86c23bf/public/templates/show_democratic.inc.php#L36", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Ampache is a web based audio/video streaming application and file manager. Prior to version 6.6.0, the Democratic Playlist Name is vulnerable to a stored cross-site scripting. Version 6.6.0 fixes this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-09-27T14:05:01.794Z"}}}, "cveMetadata": {"cveId": "CVE-2024-47184", "state": "PUBLISHED", "dateUpdated": "2024-09-27T16:20:59.445Z", "dateReserved": "2024-09-19T22:32:11.963Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-09-27T14:05:01.794Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ampache:ampache:*:*:*:*:*:*:*:*", "matchCriteriaId": "0CE7A18A-729A-422A-A3BD-E86365DE8C72", "versionEndExcluding": "6.6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Ampache is a web based audio/video streaming application and file manager. Prior to version 6.6.0, the Democratic Playlist Name is vulnerable to a stored cross-site scripting. Version 6.6.0 fixes this issue."}, {"lang": "es", "value": "Ampache es una aplicaci\u00f3n de transmisi\u00f3n de audio y video basada en la Web y un administrador de archivos. Antes de la versi\u00f3n 6.6.0, el nombre de la lista de reproducci\u00f3n democr\u00e1tica era vulnerable a un ataque de cross site scripting. La versi\u00f3n 6.6.0 soluciona este problema."}], "id": "CVE-2024-47184", "lastModified": "2024-10-04T18:19:26.240", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-09-27T14:15:04.833", "references": [{"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/ampache/ampache/blob/ff332c9810e493fd51b258f5e53119fad86c23bf/public/templates/show_democratic.inc.php#L36"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/ampache/ampache/commit/7e64d140dafcbe0d61f1a07e94486f6ed67932d6"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/ampache/ampache/security/advisories/GHSA-f99r-gv34-v46f"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}