Description
An issue was discovered in Ampache through 3.9.1. A stored XSS exists in the localplay.php LocalPlay "add instance" functionality. The injected code is reflected in the instances menu. This vulnerability can be abused to force an admin to create a new privileged user whose credentials are known by the attacker.
Remediation
References
Related Vulnerabilities
Apache Tomcat version older than 4.1.39
D3.js Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2017-16044)
WordPress 2.6.3 Cross-Site Scripting Vulnerability (0.6.2 - 2.6.3)
MySQL CVE-2017-3453 Vulnerability (CVE-2017-3453)
WordPress Plugin WooCommerce Customers Manager Multiple Vulnerabilities (26.5)