CVE-2019-12386

MEDIUM

Ampache <3.9.1 - XSS

Title source: llm

Description

An issue was discovered in Ampache through 3.9.1. A stored XSS exists in the localplay.php LocalPlay "add instance" functionality. The injected code is reflected in the instances menu. This vulnerability can be abused to force an admin to create a new privileged user whose credentials are known by the attacker.

Exploits (1)

github WORKING POC 11 stars

by X-C3LL · pythonpoc

https://github.com/X-C3LL/PoC-CVEs/tree/master/CVE-2019-12386

View Code ZIP pw:eip

References (2)

[Exploit, Third Party Advisory] https://www.tarlogic.com/en/blog/vulnerabilities-in-ampache/

[Mailing List] https://lists.debian.org/debian-lts-announce/2019/11/msg00008.html

Scores

CVSS v3 5.4

EPSS 0.0025

EPSS Percentile 48.5%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

ampache/ampache < 3.9.1

Published Aug 22, 2019

Tracked Since Feb 18, 2026