366689 – <www-apps/ampache-3.8.1: Cross Site Scripting Vulnerability

Bug 366689 - <www-apps/ampache-3.8.1: Cross Site Scripting Vulnerability

Summary: <www-apps/ampache-3.8.1: Cross Site Scripting Vulnerability

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	http://www.autosectools.com/Advisory/...
Whiteboard:	B4 [noglsa]
Keywords:

Depends on:	297709
Blocks:
	Show dependency tree

Reported:	2011-05-10 04:24 UTC by Tim Sammut (RETIRED)
Modified:	2016-01-18 08:58 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tim Sammut (RETIRED) gentoo-dev

2011-05-10 04:24:04 UTC

The third-party advisory at $URL shows a reflected XSS in Ampache. There is a little more details in the Secunia advisory at http://secunia.com/advisories/44497/.

Comment 1 Matti Bickel (RETIRED) gentoo-dev

2013-01-01 22:20:38 UTC

There's something in the Changelog at http://gitorious.org/ampache/ampache/blobs/master/docs/CHANGELOG:

Correct potential security issues due to misuse of REQUEST for write
operations rather then POST (Thx Raphael Geissert <geissert@debian.org>)

This is in the changes for 3.6-Alpha1, but I doubt this is the same issue? If not, what's the next step here? Security mask since no non-live ebuild can be made available?

Comment 2 Kristian Fiskerstrand (RETIRED) gentoo-dev

2016-01-08 17:09:04 UTC

www-apps/ampache bumped to 3.8.1, no GLSA for XSS

Comment 3 Kristian Fiskerstrand (RETIRED) gentoo-dev

2016-01-08 17:12:24 UTC

Re-opening to stabilize in bug 297709

Comment 4 Kristian Fiskerstrand (RETIRED) gentoo-dev

2016-01-18 08:58:04 UTC

Stabiliation and cleanup done