Lachlan-00

**Name of the Vulnerable Software and Affected Versions** ampache/ampache versions prior to 5.5.7 **Description** The issue is related to Cross-site Scripting (XSS) - Reflected. This is a type of attack where an attacker injects malicious code into a website, which is then executed by the user's browser. The estimated number of potentially affected devices worldwide is not specified. There is no information about real-world incidents where this issue was exploited. **Recommendations** For versions prior to 5.5.7, update to version 5.5.7 or later to resolve the issue. At the moment, there is no other information about additional mitigation measures.

**Name of the Vulnerable Software and Affected Versions** Ampache versions prior to 4.2.2 **Description** The issue allows unauthenticated users to perform SQL injection. A fix for this issue is included in version 4.2.2 and the development branch. **Recommendations** For versions prior to 4.2.2, update to version 4.2.2 or switch to the development branch to resolve the issue. As a temporary workaround, consider restricting access to sensitive database operations until the update can be applied.

**Name of the Vulnerable Software and Affected Versions** Ampache versions prior to 4.4.1 **Description** The issue allows unauthenticated access to Ampache using the subsonic API. To exploit this, an attacker must use a `username` that is not part of the site to bypass the auth checks. **Recommendations** For versions prior to 4.4.1, update to version 4.4.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the subsonic API until a patch is applied. Avoid using unknown or unverified `username` values in the subsonic API to minimize the risk of exploitation.