[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 1988-1] ampache security update

Package        : ampache
Version        : 3.6-rzb2752+dfsg-5+deb8u1
CVE ID         : CVE-2019-12385 CVE-2019-12386

Several vulnerabilities were discovered in Ampache, a web-based audio
file management system.


    A stored XSS exists in the localplay.php LocalPlay "add instance"
    functionality. The injected code is reflected in the instances menu.
    This vulnerability can be abused to force an admin to create a new
    privileged user whose credentials are known by the attacker.


    The search engine is affected by a SQL Injection, so any user able
    to perform lib/class/search.class.php searches (even guest users)
    can dump any data contained in the database (sessions, hashed
    passwords, etc.). This may lead to a full compromise of admin
    accounts, when combined with the weak password generator algorithm
    used in the lostpassword functionality.

For Debian 8 "Jessie", these problems have been fixed in version

We recommend that you upgrade your ampache packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Attachment: signature.asc
Description: PGP signature

Reply to: