Description
An issue was discovered in Ampache through 3.9.1. A stored XSS exists in the localplay.php LocalPlay "add instance" functionality. The injected code is reflected in the instances menu. This vulnerability can be abused to force an admin to create a new privileged user whose credentials are known by the attacker.
Remediation
References
Related Vulnerabilities
WordPress Plugin Ivory Search-WordPress Search Cross-Site Scripting (4.6)
MediaWiki Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2014-5241)
Omeka Server-Side Request Forgery (SSRF) Vulnerability (CVE-2023-3981)
WordPress Plugin Social Like Box and Page by WpDevArt Unspecified Vulnerability (0.8.39)