Skip to content

Cross-site Scripting in Random.php

High
lachlan-00 published GHSA-vqpj-xgw2-r54q Jun 22, 2021

Package

Ampache

Affected versions

4.4.2

Patched versions

4.4.3, master

Description

A vulnerability in Ampache 4.4.2 has been reported by Ali Oguz using Netsparker Web Application Security For Enterprise (https://www.netsparker.com)

This vulnerability affects the stable branch and it is recommended that you update to 4.4.3 as soon as possible from all 4.x.x versions.

The attack requires user authentication to access the random.php page unless the site is running in demo mode.

Affected Software: Ampache
Affected Versions: 4.4.2
Vulnerability Type: Cross-Site Scripting

Cross-site Scripting in Random.php

URL: /random.php?action=get_advanced&type=%27%22%20onmouseover%3dalert(0x0002DE)%20
Parameter Name: type
Parameter Type: GET
Attack Pattern: %27%22+ns%3dnetsparker(0x0002DE)+

Severity

High

CVE ID

CVE-2021-32644

Weaknesses

No CWEs