VYPR

Vendor CVEs

Ampache

All CVEs

26 total · sorted by risk
  • CVE-2024-51144HigMar 5, 2025
    risk 0.57cvss 8.8epss 0.00

    Cross Site Request Forgery (CSRF) vulnerability exists in the 'pvmsg.php?action=add_message', pvmsg.php?action=confirm_delete , and ajax.server.php?page=user&action=flip_follow endpoints in Ampache <= 6.6.0.

  • CVE-2024-51484Nov 11, 2024
    risk 0.00cvss epss 0.00

    Ampache is a web based audio/video streaming application and file manager. The current implementation of token parsing fails to properly validate CSRF tokens when activating or deactivating controllers. This vulnerability allows an attacker to exploit CSRF attacks, potentially…

  • CVE-2024-51485Nov 11, 2024
    risk 0.00cvss epss 0.00

    Ampache is a web based audio/video streaming application and file manager. The current implementation of token parsing fails to properly validate CSRF tokens when activating or deactivating plugins. This vulnerability allows an attacker to exploit CSRF attacks, potentially…

  • CVE-2024-51486Nov 11, 2024
    risk 0.00cvss epss 0.00

    Ampache is a web based audio/video streaming application and file manager. The vulnerability exists in the interface section of the Ampache menu, where users can change the "Custom URL - Favicon". This section is not properly sanitized, allowing for the input of strings that…

  • CVE-2024-51487Nov 11, 2024
    risk 0.00cvss epss 0.00

    Ampache is a web based audio/video streaming application and file manager. The current implementation of token parsing fails to properly validate CSRF tokens when activating or deactivating catalog. This vulnerability allows an attacker to exploit CSRF attacks, potentially…

  • CVE-2024-51488Nov 11, 2024
    risk 0.00cvss epss 0.00

    Ampache is a web based audio/video streaming application and file manager. The current implementation of token parsing does not adequately validate CSRF tokens when users delete messages. This vulnerability could be exploited to forge CSRF attacks, allowing an attacker to delete…

  • CVE-2024-51489Nov 11, 2024
    risk 0.00cvss epss 0.00

    Ampache is a web based audio/video streaming application and file manager. The current implementation of token parsing does not adequately validate CSRF tokens when users send messages to one another. This vulnerability could be exploited to forge CSRF attacks, allowing an…

  • CVE-2024-51490Nov 11, 2024
    risk 0.00cvss epss 0.01

    Ampache is a web based audio/video streaming application and file manager. This vulnerability exists in the interface section of the Ampache menu, where users can change "Custom URL - Logo". This section is not properly sanitized, allowing for the input of strings that can…

  • CVE-2024-47828Oct 9, 2024
    risk 0.00cvss epss 0.00

    ampache is a web based audio/video streaming application and file manager. A CSRF attack can be performed in order to delete objects (Playlist, smartlist etc.). Cross-Site Request Forgery (CSRF) is an attack that forces authenticated users to submit a request to a Web…

  • CVE-2024-47184Sep 27, 2024
    risk 0.00cvss epss 0.01

    Ampache is a web based audio/video streaming application and file manager. Prior to version 6.6.0, the Democratic Playlist Name is vulnerable to a stored cross-site scripting. Version 6.6.0 fixes this issue.

  • CVE-2024-41665Jul 23, 2024
    risk 0.00cvss epss 0.00

    Ampache, a web based audio/video streaming application and file manager, has a stored cross-site scripting (XSS) vulnerability in versions prior to 6.6.0. This vulnerability exists in the "Playlists - Democratic - Configure Democratic Playlist" feature. An attacker with Content…

  • CVE-2024-28852Mar 27, 2024
    risk 0.00cvss epss 0.01

    Ampache is a web based audio/video streaming application and file manager. Ampache has multiple reflective XSS vulnerabilities,this means that all forms in the Ampache that use `rule` as a variable are not secure. For example, when querying a song, when querying a podcast, we…

  • CVE-2024-28853Mar 27, 2024
    risk 0.00cvss epss 0.01

    Ampache is a web based audio/video streaming application and file manager. Stored Cross Site Scripting (XSS) vulnerability in ampache before v6.3.1 allows a remote attacker to execute code via a crafted payload to serval parameters in the post request of…

  • CVE-2023-0771Feb 10, 2023
    risk 0.00cvss epss 0.01

    SQL Injection in GitHub repository ampache/ampache prior to 5.5.7,develop.

  • CVE-2023-0606Feb 1, 2023
    risk 0.00cvss epss 0.01

    Cross-site Scripting (XSS) - Reflected in GitHub repository ampache/ampache prior to 5.5.7.

  • CVE-2022-4665Dec 23, 2022
    risk 0.00cvss epss 0.01

    Unrestricted Upload of File with Dangerous Type in GitHub repository ampache/ampache prior to 5.5.6.

  • CVE-2021-32644Jun 22, 2021
    risk 0.00cvss epss 0.01

    Ampache is an open source web based audio/video streaming application and file manager. Due to a lack of input filtering versions 4.x.y are vulnerable to code injection in random.php. The attack requires user authentication to access the random.php page unless the site is…

  • CVE-2020-15153Apr 30, 2021
    risk 0.00cvss epss 0.02

    Ampache before version 4.2.2 allows unauthenticated users to perform SQL injection. Refer to the referenced GitHub Security Advisory for details and a workaround. This is fixed in version 4.2.2 and the development branch.

  • CVE-2021-21399Apr 13, 2021
    risk 0.00cvss epss 0.01

    Ampache is a web based audio/video streaming application and file manager. Versions prior to 4.4.1 allow unauthenticated access to Ampache using the subsonic API. To successfully make the attack you must use a username that is not part of the site to bypass the auth checks. For…

  • CVE-2019-12386Aug 22, 2019
    risk 0.00cvss epss 0.01

    An issue was discovered in Ampache through 3.9.1. A stored XSS exists in the localplay.php LocalPlay "add instance" functionality. The injected code is reflected in the instances menu. This vulnerability can be abused to force an admin to create a new privileged user whose…

  • CVE-2019-12385Aug 22, 2019
    risk 0.00cvss epss 0.02

    An issue was discovered in Ampache through 3.9.1. The search engine is affected by a SQL Injection, so any user able to perform lib/class/search.class.php searches (even guest users) can dump any data contained in the database (sessions, hashed passwords, etc.). This may lead to…

  • CVE-2017-18375May 24, 2019
    risk 0.00cvss epss 0.02

    Ampache 3.8.3 allows PHP Object Instantiation via democratic.ajax.php and democratic.class.php.

  • CVE-2008-3929Sep 4, 2008
    risk 0.00cvss epss 0.00

    gather-messages.sh in Ampache 3.4.1 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/filelist temporary file.

  • CVE-2007-4438Aug 20, 2007
    risk 0.00cvss epss 0.01

    Session fixation vulnerability in Ampache before 3.3.3.5 allows remote attackers to hijack web sessions via unspecified vectors.

  • CVE-2007-4437Aug 20, 2007
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in albums.php in Ampache before 3.3.3.5 allows remote attackers to execute arbitrary SQL commands via the match parameter. NOTE: some details are obtained from third party information.

  • CVE-2006-5668Nov 3, 2006
    risk 0.00cvss epss 0.02

    Unspecified vulnerability in Ampache 3.3.2 and earlier, when register_globals is enabled, allows remote attackers to bypass security restrictions and gain guest access.