Ampache
CVE-2024-47828
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Lifecycle Timeline
1DescriptionNVD
ampache is a web based audio/video streaming application and file manager. A CSRF attack can be performed in order to delete objects (Playlist, smartlist etc.). Cross-Site Request Forgery (CSRF) is an attack that forces authenticated users to submit a request to a Web application against which they are currently authenticated. This vulnerability can be exploited by creating a malicious script with an arbitrary playlist ID belonging to another user. When the user submits the request, their playlist will be deleted. Any User with active sessions who are tricked into submitting a malicious request are impacted, as their playlists or other objects could be deleted without their consent.
AnalysisAI
ampache is a web based audio/video streaming application and file manager. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Technical ContextAI
This vulnerability is classified as Cross-Site Request Forgery (CSRF) (CWE-352), which allows attackers to trick authenticated users into performing unintended actions. ampache is a web based audio/video streaming application and file manager. A CSRF attack can be performed in order to delete objects (Playlist, smartlist etc.). Cross-Site Request Forgery (CSRF) is an attack that forces authenticated users to submit a request to a Web application against which they are currently authenticated. This vulnerability can be exploited by creating a malicious script with an arbitrary playlist ID belonging to another user. When the user submits the request, their playlist will be deleted. Any User with active sessions who are tricked into submitting a malicious request are impacted, as their playlists or other objects could be deleted without their consent. Affected products include: Ampache.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Implement anti-CSRF tokens, validate Origin/Referer headers, use SameSite cookie attribute.
Ampache is a web based audio/video streaming application and file manager. Rated critical severity (CVSS 9.0), this vuln
SQL Injection in GitHub repository ampache/ampache prior to 5.5.7,develop. Rated high severity (CVSS 8.8), this vulnerab
Unrestricted Upload of File with Dangerous Type in GitHub repository ampache/ampache prior to 5.5.6. Rated high severity
An issue was discovered in Ampache through 3.9.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploit
Ampache is a web based audio/video streaming application and file manager. Rated high severity (CVSS 8.4), this vulnerab
Ampache is a web based audio/video streaming application and file manager. Rated high severity (CVSS 7.5), this vulnerab
Ampache is a web based audio/video streaming application and file manager. Rated medium severity (CVSS 6.1), this vulner
Cross-site Scripting (XSS) - Reflected in GitHub repository ampache/ampache prior to 5.5.7. Rated medium severity (CVSS
Ampache, a web based audio/video streaming application and file manager, has a stored cross-site scripting (XSS) vulnera
An issue was discovered in Ampache through 3.9.1. Rated medium severity (CVSS 5.4), this vulnerability is remotely explo
Ampache is a web based audio/video streaming application and file manager. Rated medium severity (CVSS 5.3), this vulner
Ampache is a web based audio/video streaming application and file manager. Rated medium severity (CVSS 5.3), this vulner
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today