CVE-2024-28852 in Ampacheinfo

Summary

by MITRE • 03/27/2024

Ampache is a web based audio/video streaming application and file manager. Ampache has multiple reflective XSS vulnerabilities,this means that all forms in the Ampache that use `rule` as a variable are not secure. For example, when querying a song, when querying a podcast, we need to use `$rule` variable. This vulnerability is fixed in 6.3.1

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 04/12/2025

The vulnerability identified as CVE-2024-28852 affects Ampache, a widely used web-based audio and video streaming application that serves as both a media server and file manager for digital content repositories. This application processes user requests through various query mechanisms that utilize the `$rule` variable as a parameter for content filtering and retrieval operations. The security flaw manifests as multiple reflective cross-site scripting vulnerabilities that occur when the application fails to properly sanitize or encode user-supplied input before incorporating it into dynamic web page content.

The technical implementation of this vulnerability stems from the application's insufficient input validation and output encoding practices within its query processing framework. When users perform searches or filter content through various forms, the `$rule` parameter becomes a conduit for malicious script injection attacks. The vulnerability specifically impacts all forms that utilize this variable, including those designed for song and podcast queries, where user input directly influences the application's response generation. This reflective nature means that malicious scripts are executed in the victim's browser context when they encounter the reflected payload, making the vulnerability particularly dangerous in multi-user environments where other users might be exposed to crafted malicious requests.

The operational impact of CVE-2024-28852 extends beyond simple data theft or session hijacking, as it provides attackers with potential access to sensitive user information and system resources within the Ampache environment. An attacker could craft malicious URLs containing XSS payloads that, when clicked by other users, would execute arbitrary JavaScript code in their browsers. This could lead to unauthorized access to personal media libraries, session token theft, or even privilege escalation within the application's user management system. The vulnerability's presence across multiple query forms increases the attack surface significantly, making it more difficult for administrators to fully mitigate the risk through partial fixes.

Security practitioners should note that this vulnerability aligns with CWE-79, which describes cross-site scripting flaws in web applications, and maps to several ATT&CK techniques including T1566 for credential access through social engineering and T1059 for command and script injection. The remediation approach requires immediate deployment of the fixed version 6.3.1, which implements proper input sanitization and output encoding mechanisms. Organizations should also consider implementing additional security measures such as web application firewalls, content security policies, and regular security audits to prevent similar vulnerabilities in other application components. The fix demonstrates proper secure coding practices that should be adopted across the entire codebase to prevent reflective XSS attacks in future development cycles.

This vulnerability highlights the critical importance of input validation in web applications, particularly those handling user-generated content or serving as media management platforms where users might be prompted to enter search parameters. The incident underscores the need for comprehensive security testing including dynamic application security testing and static code analysis to identify similar flaws in other applications within the same ecosystem. Organizations using Ampache should conduct immediate vulnerability assessments to identify any potential exploitation attempts and implement proper monitoring for suspicious user activities that might indicate attempted attacks against this vulnerability.

Responsible

GitHub, Inc.

Reservation

03/11/2024

Disclosure

03/27/2024

Moderation

accepted

CPE

ready

EPSS

0.00516

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!