Vendor CVEs
Ampache
All CVEs
26 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-51144 | Hig | 0.57 | 8.8 | 0.00 | Mar 5, 2025 | Cross Site Request Forgery (CSRF) vulnerability exists in the 'pvmsg.php?action=add_message', pvmsg.php?action=confirm_delete , and ajax.server.php?page=user&action=flip_follow endpoints in Ampache <= 6.6.0. | ||
| CVE-2024-51484 | 0.00 | — | 0.00 | Nov 11, 2024 | Ampache is a web based audio/video streaming application and file manager. The current implementation of token parsing fails to properly validate CSRF tokens when activating or deactivating controllers. This vulnerability allows an attacker to exploit CSRF attacks, potentially… | |||
| CVE-2024-51485 | 0.00 | — | 0.00 | Nov 11, 2024 | Ampache is a web based audio/video streaming application and file manager. The current implementation of token parsing fails to properly validate CSRF tokens when activating or deactivating plugins. This vulnerability allows an attacker to exploit CSRF attacks, potentially… | |||
| CVE-2024-51486 | 0.00 | — | 0.00 | Nov 11, 2024 | Ampache is a web based audio/video streaming application and file manager. The vulnerability exists in the interface section of the Ampache menu, where users can change the "Custom URL - Favicon". This section is not properly sanitized, allowing for the input of strings that… | |||
| CVE-2024-51487 | 0.00 | — | 0.00 | Nov 11, 2024 | Ampache is a web based audio/video streaming application and file manager. The current implementation of token parsing fails to properly validate CSRF tokens when activating or deactivating catalog. This vulnerability allows an attacker to exploit CSRF attacks, potentially… | |||
| CVE-2024-51488 | 0.00 | — | 0.00 | Nov 11, 2024 | Ampache is a web based audio/video streaming application and file manager. The current implementation of token parsing does not adequately validate CSRF tokens when users delete messages. This vulnerability could be exploited to forge CSRF attacks, allowing an attacker to delete… | |||
| CVE-2024-51489 | 0.00 | — | 0.00 | Nov 11, 2024 | Ampache is a web based audio/video streaming application and file manager. The current implementation of token parsing does not adequately validate CSRF tokens when users send messages to one another. This vulnerability could be exploited to forge CSRF attacks, allowing an… | |||
| CVE-2024-51490 | 0.00 | — | 0.01 | Nov 11, 2024 | Ampache is a web based audio/video streaming application and file manager. This vulnerability exists in the interface section of the Ampache menu, where users can change "Custom URL - Logo". This section is not properly sanitized, allowing for the input of strings that can… | |||
| CVE-2024-47828 | 0.00 | — | 0.00 | Oct 9, 2024 | ampache is a web based audio/video streaming application and file manager. A CSRF attack can be performed in order to delete objects (Playlist, smartlist etc.). Cross-Site Request Forgery (CSRF) is an attack that forces authenticated users to submit a request to a Web… | |||
| CVE-2024-47184 | 0.00 | — | 0.01 | Sep 27, 2024 | Ampache is a web based audio/video streaming application and file manager. Prior to version 6.6.0, the Democratic Playlist Name is vulnerable to a stored cross-site scripting. Version 6.6.0 fixes this issue. | |||
| CVE-2024-41665 | 0.00 | — | 0.00 | Jul 23, 2024 | Ampache, a web based audio/video streaming application and file manager, has a stored cross-site scripting (XSS) vulnerability in versions prior to 6.6.0. This vulnerability exists in the "Playlists - Democratic - Configure Democratic Playlist" feature. An attacker with Content… | |||
| CVE-2024-28852 | 0.00 | — | 0.01 | Mar 27, 2024 | Ampache is a web based audio/video streaming application and file manager. Ampache has multiple reflective XSS vulnerabilities,this means that all forms in the Ampache that use `rule` as a variable are not secure. For example, when querying a song, when querying a podcast, we… | |||
| CVE-2024-28853 | 0.00 | — | 0.01 | Mar 27, 2024 | Ampache is a web based audio/video streaming application and file manager. Stored Cross Site Scripting (XSS) vulnerability in ampache before v6.3.1 allows a remote attacker to execute code via a crafted payload to serval parameters in the post request of… | |||
| CVE-2023-0771 | 0.00 | — | 0.01 | Feb 10, 2023 | SQL Injection in GitHub repository ampache/ampache prior to 5.5.7,develop. | |||
| CVE-2023-0606 | 0.00 | — | 0.01 | Feb 1, 2023 | Cross-site Scripting (XSS) - Reflected in GitHub repository ampache/ampache prior to 5.5.7. | |||
| CVE-2022-4665 | 0.00 | — | 0.01 | Dec 23, 2022 | Unrestricted Upload of File with Dangerous Type in GitHub repository ampache/ampache prior to 5.5.6. | |||
| CVE-2021-32644 | 0.00 | — | 0.01 | Jun 22, 2021 | Ampache is an open source web based audio/video streaming application and file manager. Due to a lack of input filtering versions 4.x.y are vulnerable to code injection in random.php. The attack requires user authentication to access the random.php page unless the site is… | |||
| CVE-2020-15153 | 0.00 | — | 0.02 | Apr 30, 2021 | Ampache before version 4.2.2 allows unauthenticated users to perform SQL injection. Refer to the referenced GitHub Security Advisory for details and a workaround. This is fixed in version 4.2.2 and the development branch. | |||
| CVE-2021-21399 | 0.00 | — | 0.01 | Apr 13, 2021 | Ampache is a web based audio/video streaming application and file manager. Versions prior to 4.4.1 allow unauthenticated access to Ampache using the subsonic API. To successfully make the attack you must use a username that is not part of the site to bypass the auth checks. For… | |||
| CVE-2019-12386 | 0.00 | — | 0.01 | Aug 22, 2019 | An issue was discovered in Ampache through 3.9.1. A stored XSS exists in the localplay.php LocalPlay "add instance" functionality. The injected code is reflected in the instances menu. This vulnerability can be abused to force an admin to create a new privileged user whose… | |||
| CVE-2019-12385 | 0.00 | — | 0.02 | Aug 22, 2019 | An issue was discovered in Ampache through 3.9.1. The search engine is affected by a SQL Injection, so any user able to perform lib/class/search.class.php searches (even guest users) can dump any data contained in the database (sessions, hashed passwords, etc.). This may lead to… | |||
| CVE-2017-18375 | 0.00 | — | 0.02 | May 24, 2019 | Ampache 3.8.3 allows PHP Object Instantiation via democratic.ajax.php and democratic.class.php. | |||
| CVE-2008-3929 | 0.00 | — | 0.00 | Sep 4, 2008 | gather-messages.sh in Ampache 3.4.1 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/filelist temporary file. | |||
| CVE-2007-4438 | 0.00 | — | 0.01 | Aug 20, 2007 | Session fixation vulnerability in Ampache before 3.3.3.5 allows remote attackers to hijack web sessions via unspecified vectors. | |||
| CVE-2007-4437 | 0.00 | — | 0.01 | Aug 20, 2007 | SQL injection vulnerability in albums.php in Ampache before 3.3.3.5 allows remote attackers to execute arbitrary SQL commands via the match parameter. NOTE: some details are obtained from third party information. | |||
| CVE-2006-5668 | 0.00 | — | 0.02 | Nov 3, 2006 | Unspecified vulnerability in Ampache 3.3.2 and earlier, when register_globals is enabled, allows remote attackers to bypass security restrictions and gain guest access. |
- risk 0.57cvss 8.8epss 0.00
Cross Site Request Forgery (CSRF) vulnerability exists in the 'pvmsg.php?action=add_message', pvmsg.php?action=confirm_delete , and ajax.server.php?page=user&action=flip_follow endpoints in Ampache <= 6.6.0.
- CVE-2024-51484Nov 11, 2024risk 0.00cvss —epss 0.00
Ampache is a web based audio/video streaming application and file manager. The current implementation of token parsing fails to properly validate CSRF tokens when activating or deactivating controllers. This vulnerability allows an attacker to exploit CSRF attacks, potentially…
- CVE-2024-51485Nov 11, 2024risk 0.00cvss —epss 0.00
Ampache is a web based audio/video streaming application and file manager. The current implementation of token parsing fails to properly validate CSRF tokens when activating or deactivating plugins. This vulnerability allows an attacker to exploit CSRF attacks, potentially…
- CVE-2024-51486Nov 11, 2024risk 0.00cvss —epss 0.00
Ampache is a web based audio/video streaming application and file manager. The vulnerability exists in the interface section of the Ampache menu, where users can change the "Custom URL - Favicon". This section is not properly sanitized, allowing for the input of strings that…
- CVE-2024-51487Nov 11, 2024risk 0.00cvss —epss 0.00
Ampache is a web based audio/video streaming application and file manager. The current implementation of token parsing fails to properly validate CSRF tokens when activating or deactivating catalog. This vulnerability allows an attacker to exploit CSRF attacks, potentially…
- CVE-2024-51488Nov 11, 2024risk 0.00cvss —epss 0.00
Ampache is a web based audio/video streaming application and file manager. The current implementation of token parsing does not adequately validate CSRF tokens when users delete messages. This vulnerability could be exploited to forge CSRF attacks, allowing an attacker to delete…
- CVE-2024-51489Nov 11, 2024risk 0.00cvss —epss 0.00
Ampache is a web based audio/video streaming application and file manager. The current implementation of token parsing does not adequately validate CSRF tokens when users send messages to one another. This vulnerability could be exploited to forge CSRF attacks, allowing an…
- CVE-2024-51490Nov 11, 2024risk 0.00cvss —epss 0.01
Ampache is a web based audio/video streaming application and file manager. This vulnerability exists in the interface section of the Ampache menu, where users can change "Custom URL - Logo". This section is not properly sanitized, allowing for the input of strings that can…
- CVE-2024-47828Oct 9, 2024risk 0.00cvss —epss 0.00
ampache is a web based audio/video streaming application and file manager. A CSRF attack can be performed in order to delete objects (Playlist, smartlist etc.). Cross-Site Request Forgery (CSRF) is an attack that forces authenticated users to submit a request to a Web…
- CVE-2024-47184Sep 27, 2024risk 0.00cvss —epss 0.01
Ampache is a web based audio/video streaming application and file manager. Prior to version 6.6.0, the Democratic Playlist Name is vulnerable to a stored cross-site scripting. Version 6.6.0 fixes this issue.
- CVE-2024-41665Jul 23, 2024risk 0.00cvss —epss 0.00
Ampache, a web based audio/video streaming application and file manager, has a stored cross-site scripting (XSS) vulnerability in versions prior to 6.6.0. This vulnerability exists in the "Playlists - Democratic - Configure Democratic Playlist" feature. An attacker with Content…
- CVE-2024-28852Mar 27, 2024risk 0.00cvss —epss 0.01
Ampache is a web based audio/video streaming application and file manager. Ampache has multiple reflective XSS vulnerabilities,this means that all forms in the Ampache that use `rule` as a variable are not secure. For example, when querying a song, when querying a podcast, we…
- CVE-2024-28853Mar 27, 2024risk 0.00cvss —epss 0.01
Ampache is a web based audio/video streaming application and file manager. Stored Cross Site Scripting (XSS) vulnerability in ampache before v6.3.1 allows a remote attacker to execute code via a crafted payload to serval parameters in the post request of…
- CVE-2023-0771Feb 10, 2023risk 0.00cvss —epss 0.01
SQL Injection in GitHub repository ampache/ampache prior to 5.5.7,develop.
- CVE-2023-0606Feb 1, 2023risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Reflected in GitHub repository ampache/ampache prior to 5.5.7.
- CVE-2022-4665Dec 23, 2022risk 0.00cvss —epss 0.01
Unrestricted Upload of File with Dangerous Type in GitHub repository ampache/ampache prior to 5.5.6.
- CVE-2021-32644Jun 22, 2021risk 0.00cvss —epss 0.01
Ampache is an open source web based audio/video streaming application and file manager. Due to a lack of input filtering versions 4.x.y are vulnerable to code injection in random.php. The attack requires user authentication to access the random.php page unless the site is…
- CVE-2020-15153Apr 30, 2021risk 0.00cvss —epss 0.02
Ampache before version 4.2.2 allows unauthenticated users to perform SQL injection. Refer to the referenced GitHub Security Advisory for details and a workaround. This is fixed in version 4.2.2 and the development branch.
- CVE-2021-21399Apr 13, 2021risk 0.00cvss —epss 0.01
Ampache is a web based audio/video streaming application and file manager. Versions prior to 4.4.1 allow unauthenticated access to Ampache using the subsonic API. To successfully make the attack you must use a username that is not part of the site to bypass the auth checks. For…
- CVE-2019-12386Aug 22, 2019risk 0.00cvss —epss 0.01
An issue was discovered in Ampache through 3.9.1. A stored XSS exists in the localplay.php LocalPlay "add instance" functionality. The injected code is reflected in the instances menu. This vulnerability can be abused to force an admin to create a new privileged user whose…
- CVE-2019-12385Aug 22, 2019risk 0.00cvss —epss 0.02
An issue was discovered in Ampache through 3.9.1. The search engine is affected by a SQL Injection, so any user able to perform lib/class/search.class.php searches (even guest users) can dump any data contained in the database (sessions, hashed passwords, etc.). This may lead to…
- CVE-2017-18375May 24, 2019risk 0.00cvss —epss 0.02
Ampache 3.8.3 allows PHP Object Instantiation via democratic.ajax.php and democratic.class.php.
- CVE-2008-3929Sep 4, 2008risk 0.00cvss —epss 0.00
gather-messages.sh in Ampache 3.4.1 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/filelist temporary file.
- CVE-2007-4438Aug 20, 2007risk 0.00cvss —epss 0.01
Session fixation vulnerability in Ampache before 3.3.3.5 allows remote attackers to hijack web sessions via unspecified vectors.
- CVE-2007-4437Aug 20, 2007risk 0.00cvss —epss 0.01
SQL injection vulnerability in albums.php in Ampache before 3.3.3.5 allows remote attackers to execute arbitrary SQL commands via the match parameter. NOTE: some details are obtained from third party information.
- CVE-2006-5668Nov 3, 2006risk 0.00cvss —epss 0.02
Unspecified vulnerability in Ampache 3.3.2 and earlier, when register_globals is enabled, allows remote attackers to bypass security restrictions and gain guest access.