RSS   Vulnerabilities for 'Ampache'   RSS

2019-08-22
 
CVE-2019-12386

CWE-79
 

 
An issue was discovered in Ampache through 3.9.1. A stored XSS exists in the localplay.php LocalPlay "add instance" functionality. The injected code is reflected in the instances menu. This vulnerability can be abused to force an admin to create a new privileged user whose credentials are known by the attacker.

 
 
CVE-2019-12385

CWE-89
 

 
An issue was discovered in Ampache through 3.9.1. The search engine is affected by a SQL Injection, so any user able to perform lib/class/search.class.php searches (even guest users) can dump any data contained in the database (sessions, hashed passwords, etc.). This may lead to a full compromise of admin accounts, when combined with the weak password generator algorithm used in the lostpassword functionality.

 
2019-05-24
 
CVE-2017-18375

CWE-502
 

 
Ampache 3.8.3 allows PHP Object Instantiation via democratic.ajax.php and democratic.class.php.

 
2008-09-04
 
CVE-2008-3929

CWE-59
 

 
gather-messages.sh in Ampache 3.4.1 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/filelist temporary file.

 
2007-08-20
 
CVE-2007-4438

CWE-287
 

 
Session fixation vulnerability in Ampache before 3.3.3.5 allows remote attackers to hijack web sessions via unspecified vectors.

 
 
CVE-2007-4437

 

 
SQL injection vulnerability in albums.php in Ampache before 3.3.3.5 allows remote attackers to execute arbitrary SQL commands via the match parameter. NOTE: some details are obtained from third party information.

 
2006-11-02
 
CVE-2006-5668

 

 
Unspecified vulnerability in Ampache 3.3.2 and earlier, when register_globals is enabled, allows remote attackers to bypass security restrictions and gain guest access.

 


Copyright 2019, cxsecurity.com

 

Back to Top