CVE-2024-51490 Overview
CVE-2024-51490 is a stored Cross-Site Scripting (XSS) vulnerability in Ampache, a web-based audio and video streaming application and file manager. The flaw resides in the interface section of the Ampache menu, where authenticated users can modify the Custom URL - Logo setting. The application fails to sanitize input submitted to this field, allowing attackers to inject arbitrary JavaScript that executes in the browsers of other users viewing the affected interface. Ampache version 7.0.0 is affected, and the maintainers released a fix in version 7.0.1.
Critical Impact
Authenticated attackers can inject persistent JavaScript that executes against any user loading the Ampache interface, enabling session theft, credential capture, and unauthorized actions within the application.
Affected Products
- Ampache 7.0.0
- Ampache web-based audio/video streaming application
- Ampache file manager component (interface menu)
Discovery Timeline
- 2024-11-11 - CVE-2024-51490 published to NVD
- 2024-11-14 - Last updated in NVD database
Technical Details for CVE-2024-51490
Vulnerability Analysis
The vulnerability is classified as [CWE-79], Improper Neutralization of Input During Web Page Generation. It is a stored XSS issue, meaning the malicious payload is persisted by the application and re-served to any user who loads the affected interface element. The Custom URL - Logo field accepts a string intended to point at a logo asset, but the application renders this value into the HTML response without escaping or filtering script-capable content.
Exploitation requires an authenticated user with permission to modify interface settings. Once the payload is saved, the script runs in the browser context of every user who renders the Ampache UI containing the logo. The scope change reflected in the CVSS vector indicates that the injected code can act beyond the vulnerable component's authorization boundary, affecting other users' sessions.
Root Cause
The root cause is missing output encoding on a user-controlled configuration value. The Custom URL - Logo input is treated as a trusted URL string and emitted directly into HTML attribute or tag context. Attackers can break out of the intended attribute with quote characters or supply a javascript: URI, embedding executable script content that the browser then parses and runs.
Attack Vector
The attack is network-based and requires user interaction from a victim who loads the Ampache interface after the payload is saved. An attacker with low-privileged authenticated access navigates to the interface configuration, sets the logo field to a malicious value containing JavaScript, and waits for administrators or other users to view the interface. The injected code runs with the victim's privileges, enabling cookie theft, account takeover, or pivoting to administrative functions.
No verified public proof-of-concept code is available. Technical details are described in the GitHub Security Advisory.
Detection Methods for CVE-2024-51490
Indicators of Compromise
- Unexpected <script> tags, javascript: URIs, or HTML event handlers stored in the Ampache Custom URL - Logo interface setting.
- Database rows in the Ampache preferences table containing markup characters such as <, >, or onerror= in the logo URL field.
- Outbound browser requests from administrator sessions to attacker-controlled domains shortly after loading the Ampache UI.
Detection Strategies
- Review Ampache configuration values, especially the interface logo setting, for non-URL content or HTML control characters.
- Inspect web server access logs for POST requests to the Ampache preferences endpoint that contain script-like payloads in form parameters.
- Compare the running Ampache version against the fixed release 7.0.1 to identify exposed installations.
Monitoring Recommendations
- Enable Content Security Policy (CSP) reporting to capture inline script violations originating from the Ampache interface.
- Monitor administrative account activity for anomalous session behavior immediately after viewing the Ampache UI.
- Alert on configuration changes to interface preferences performed by non-administrative accounts.
How to Mitigate CVE-2024-51490
Immediate Actions Required
- Upgrade Ampache to version 7.0.1 or later, which sanitizes the Custom URL - Logo field.
- Audit the current value of the logo configuration and reset it to a known-good URL if any HTML or script content is present.
- Rotate session tokens and credentials for accounts that may have rendered the Ampache UI while a malicious payload was stored.
Patch Information
The vulnerability is resolved in Ampache 7.0.1. The maintainers state there are no supported workarounds, and all users should upgrade. Refer to the Ampache GitHub Security Advisory GHSA-x979-f6px-7j2w for release details.
Workarounds
- No vendor-supported workarounds exist; upgrading to 7.0.1 is required.
- As an interim risk reduction, restrict access to interface preference settings to a minimal set of trusted administrators.
- Deploy a strict Content Security Policy that disallows inline scripts to reduce the impact of stored XSS payloads until patching is complete.
# Configuration example: upgrade Ampache via composer or replace the application files
# Verify installed version after upgrade
php /var/www/ampache/bin/cli version
# Expected output should report 7.0.1 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
