Ampache 6.2.1 has multiple reflective XSS vulnerabilities,this means that all forms in the Ampache that use rule as a variable are not secure.
For example, when querying a song, when querying a podcast, we need to use $rule variable.
The reason is that the $rule($rule[0], $rule[1], $rule[2], $rule[3]) variables are directly referenced by $javascript into the front-end code without filtering malicious strings.
In the form provided by search.php, many parameters can cause the html page to be tampered with. If the attacker can create a form from his own web page, then the user or administrator who has logged in will be forced to submit a malicious form through the program of the page constructed by the attacker, resulting in Cookie theft.
Summary
Ampache 6.2.1 has multiple reflective XSS vulnerabilities,this means that all forms in the Ampache that use
rule
as a variable are not secure. For example, when querying a song, when querying a podcast, we need to use$rule
variable.Details
https://github.com/ampache/ampache/blob/bcaa9a4624acf8c8cc4c135be77b846731fb1ba2/src/Repository/Model/Search.php#L1732-L1740![image](https://github.com/ampache/ampache/assets/66168888/efdd91bc-081f-4d94-837a-d4627a9ec447)
The reason is that the
$rule
($rule[0], $rule[1], $rule[2], $rule[3]) variables are directly referenced by $javascript into the front-end code without filtering malicious strings.Proof of Concept (POC)
Impact
In the form provided by search.php, many parameters can cause the html page to be tampered with. If the attacker can create a form from his own web page, then the user or administrator who has logged in will be forced to submit a malicious form through the program of the page constructed by the attacker, resulting in Cookie theft.