CVE-2024-28853

Name of the Vulnerable Software and Affected Versions Ampache versions prior to 6.3.1

Description A stored Cross Site Scripting (XSS) issue allows a remote attacker to execute code via a crafted payload to several parameters in the post request of "/preferences.php?action=admin update preferences".

Recommendations For versions prior to 6.3.1, update to version 6.3.1 to resolve the issue. As a temporary workaround, consider restricting access to the "/preferences.php?action=admin update preferences" endpoint until a patch is available.