Ampache Stored Cross-site Scripting Vulnerability

Ampache, a web based audio/video streaming application and file manager, has a stored cross-site scripting (XSS) vulnerability in versions prior to 6.6.0. This vulnerability exists in the "Playlists - Democratic - Configure Democratic Playlist" feature. An attacker with Content Manager permissions can set the Name field to `<svg onload=alert(8)>`. When any administrator or user accesses the Democratic functionality, they will be affected by this stored XSS vulnerability. The attacker can exploit this vulnerability to obtain the cookies of any user or administrator who accesses the `democratic.php` file. Version 6.6.0 contains a patch for the issue.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

Ampache 跨站脚本漏洞

Ampache是Ampache开源的一款基于Web的音频/视频应用程序和文件管理器。 Ampache 6.6.0 版本之前存在跨站脚本漏洞，该漏洞源于“Playlists - Democratic - Configure Democratic Playlist”功能中，包含一个存储型跨站脚本漏洞。具有内容管理器权限的攻击者利用该漏洞可以在 Name 字段注入 JavaScript 代码。

N/A

N/A