Description
An issue was discovered in Ampache through 3.9.1. A stored XSS exists in the localplay.php LocalPlay "add instance" functionality. The injected code is reflected in the instances menu. This vulnerability can be abused to force an admin to create a new privileged user whose credentials are known by the attacker.
Remediation
References
Related Vulnerabilities
Claroline Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2006-4844)
Internet Information Services Other Vulnerability (CVE-2000-0126)
WordPress Plugin Email Verification for WooCommerce Unspecified Vulnerability (1.8.1)
Oracle Database Server CVE-2015-4888 Vulnerability (CVE-2015-4888)