CVE-2024-51144 – This CSRF vulnerability in Ampache allows attac... (How to Fix)

📋 TL;DR

This CSRF vulnerability in Ampache allows attackers to trick authenticated users into performing unintended actions by sending malicious requests. It affects users of Ampache versions up to 6.6.0 who are logged into the application.

💻 Affected Systems

Products:

Ampache

Versions: <= 6.6.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires user to be authenticated; affects specific endpoints: pvmsg.php?action=add_message, pvmsg.php?action=confirm_delete, ajax.server.php?page=user&action=flip_follow

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could delete user messages, add malicious messages, or manipulate user follow relationships without the victim's knowledge or consent.

🟠

Likely Case

Unauthorized message deletion or creation, manipulation of user relationships, and potential data integrity issues.

🟢

If Mitigated

Limited impact with proper CSRF protections, though some functionality might be temporarily disrupted.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires social engineering to trick authenticated users into visiting malicious pages.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version > 6.6.0

Vendor Advisory: https://github.com/ampache/ampache

Restart Required: No

Instructions:

1. Update Ampache to version > 6.6.0
2. Verify the update completed successfully
3. Test affected endpoints to ensure CSRF protection is in place

🔧 Temporary Workarounds

Implement CSRF Tokens

all

Add CSRF tokens to the vulnerable endpoints to validate requests

🧯 If You Can't Patch

Implement web application firewall rules to block suspicious requests to affected endpoints
Restrict access to Ampache interface to trusted networks only

🔍 How to Verify

Check if Vulnerable:

Check if Ampache version is <= 6.6.0 and test endpoints for CSRF protection

Check Version:

Check Ampache web interface or configuration files for version information

Verify Fix Applied:

Verify version is > 6.6.0 and test that affected endpoints now require CSRF tokens

📡 Detection & Monitoring

Log Indicators:

Multiple failed CSRF token validations
Unusual patterns of requests to pvmsg.php or ajax.server.php endpoints

Network Indicators:

Requests to vulnerable endpoints without proper referrer headers or CSRF tokens

SIEM Query:

source="ampache" AND (uri="*pvmsg.php*" OR uri="*ajax.server.php*") AND NOT csrf_token=*

📊 Metadata

CVE ID: CVE-2024-51144

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-352

EPSS Score: 1.17% exploit probability (78.4th percentile)

Published: March 5, 2025

Last Updated: September 29, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-51144, you might also want to check these: