The third-party advisory at $URL shows a reflected XSS in Ampache. There is a little more details in the Secunia advisory at http://secunia.com/advisories/44497/.
There's something in the Changelog at http://gitorious.org/ampache/ampache/blobs/master/docs/CHANGELOG: Correct potential security issues due to misuse of REQUEST for write operations rather then POST (Thx Raphael Geissert <geissert@debian.org>) This is in the changes for 3.6-Alpha1, but I doubt this is the same issue? If not, what's the next step here? Security mask since no non-live ebuild can be made available?
www-apps/ampache bumped to 3.8.1, no GLSA for XSS
Re-opening to stabilize in bug 297709
Stabiliation and cleanup done