CVE-2019-12386

Name of the Vulnerable Software and Affected Versions Ampache versions prior to 3.9.2

Description A stored XSS issue exists in the localplay.php LocalPlay "add instance" functionality, allowing injected code to be reflected in the instances menu. This can be exploited to force an admin into creating a new privileged user with known credentials.

Recommendations For versions prior to 3.9.2, update to version 3.9.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the localplay.php LocalPlay "add instance" functionality to minimize the risk of exploitation.