CVE-2019-12385

Name of the Vulnerable Software and Affected Versions Ampache versions through 3.9.1

Description An issue in the search engine allows for SQL Injection, enabling any user, including guest users, to extract data from the database, such as sessions and hashed passwords. This could lead to the compromise of admin accounts, especially when combined with the weak password generator algorithm in the lostpassword functionality.

Recommendations For Ampache versions through 3.9.1, consider restricting access to the search functionality, specifically the lib/class/search.class.php file, until a fix is available. As a temporary workaround, limit the use of the lostpassword functionality to prevent exploitation of the weak password generator algorithm.