Debian LTS: DLA-1988-1: ampache security update

    Date11 Nov 2019
    CategoryDebian LTS
    156
    Posted ByLinuxSecurity Advisories
    Several vulnerabilities were discovered in Ampache, a web-based audio file management system.
    Package        : ampache
    Version        : 3.6-rzb2752+dfsg-5+deb8u1
    CVE ID         : CVE-2019-12385 CVE-2019-12386
    
    
    Several vulnerabilities were discovered in Ampache, a web-based audio
    file management system.
    
    CVE-2019-12385
    
        A stored XSS exists in the localplay.php LocalPlay "add instance"
        functionality. The injected code is reflected in the instances menu.
        This vulnerability can be abused to force an admin to create a new
        privileged user whose credentials are known by the attacker.
    
    CVE-2019-12386
    
        The search engine is affected by a SQL Injection, so any user able
        to perform lib/class/search.class.php searches (even guest users)
        can dump any data contained in the database (sessions, hashed
        passwords, etc.). This may lead to a full compromise of admin
        accounts, when combined with the weak password generator algorithm
        used in the lostpassword functionality.
    
    
    For Debian 8 "Jessie", these problems have been fixed in version
    3.6-rzb2752+dfsg-5+deb8u1.
    
    We recommend that you upgrade your ampache packages.
    
    Further information about Debian LTS security advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://wiki.debian.org/LTS
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"65","type":"x","order":"1","pct":57.52,"resources":[]},{"id":"88","title":"Should be more technical","votes":"15","type":"x","order":"2","pct":13.27,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"33","type":"x","order":"3","pct":29.2,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.