Cross-Site Request Forgery Vulnerability in Ampache
CVE-2024-51488

5.4MEDIUM

Key Information:

Vendor: Ampache
Status: Ampache
Vendor: CVE Published:; 11 November 2024

What is CVE-2024-51488?

Ampache, a popular web-based audio and video streaming application, has a critical vulnerability related to its CSRF token parsing mechanism. The flawed implementation permits malicious actors to forge requests that affect message deletion for any user, including administrators. When an authenticated user interacts with a carefully crafted request, an attacker can manipulate the session and delete messages without the user's consent. This exploit poses a significant threat to user data integrity and application security. Users are strongly advised to upgrade to version 7.0.1 or later to mitigate this risk, as no workarounds are available. Further details on this vulnerability can be found in the official advisory.

Affected Version(s)

ampache < 7.0.1

References

https://github.com/ampache/ampache/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 11, 2024
Vulnerability Reserved
Oct 28, 2024