Ampache 6.2.1 has multiple reflective XSS vulnerabilities,this means that all forms in the Ampache that use rule as a variable are not secure.
For example, when querying a song, when querying a podcast, we need to use $rule variable.
The reason is that the $rule($rule[0], $rule[1], $rule[2], $rule[3]) variables are directly referenced by $javascript into the front-end code without filtering malicious strings.
In the form provided by search.php, many parameters can cause the html page to be tampered with. If the attacker can create a form from his own web page, then the user or administrator who has logged in will be forced to submit a malicious form through the program of the page constructed by the attacker, resulting in Cookie theft.
Hebing123
commented
3 months ago
Summary
Ampache 6.2.1 has multiple reflective XSS vulnerabilities,this means that all forms in the Ampache that use
ruleas a variable are not secure. For example, when querying a song, when querying a podcast, we need to use$rulevariable.Details
https://github.com/ampache/ampache/blob/bcaa9a4624acf8c8cc4c135be77b846731fb1ba2/src/Repository/Model/Search.php#L1732-L1740
The reason is that the
$rule($rule[0], $rule[1], $rule[2], $rule[3]) variables are directly referenced by $javascript into the front-end code without filtering malicious strings.Proof of Concept (POC)
Impact
In the form provided by search.php, many parameters can cause the html page to be tampered with. If the attacker can create a form from his own web page, then the user or administrator who has logged in will be forced to submit a malicious form through the program of the page constructed by the attacker, resulting in Cookie theft.