CVE-2024-51144

CVE-2024-51144 is a Cross-Site Request Forgery (CSRF) vulnerability, mapped to CWE-352, affecting Ampache versions up to and including 6.6.0. The issue exists in the endpoints pvmsg.php?action=add_message, pvmsg.php?action=confirm_delete, and ajax.server.php?page=user&action=flip_follow, which lack proper CSRF protections.

The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating it is exploitable over the network with low attack complexity by unauthenticated attackers, though it requires user interaction such as clicking a malicious link. An attacker can trick an authenticated user into submitting forged requests to these endpoints, enabling unauthorized actions like adding private messages, confirming message deletions, or toggling user follow status, resulting in high impacts to confidentiality, integrity, and availability.

Advisories and mitigation guidance are available in the Ampache GitHub repository at https://github.com/ampache/ampache, as well as researcher publications at https://nitipoom-jar.github.io/CVE-2024-51144/ and https://nitipoom-jaroonchaipipat.github.io/security-research-portal/2024-51144. Security practitioners should consult these sources for patch details and recommended remediation steps.