CVE-2019-25731
5.3
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Summary
Zuz Music 2.1 contains a persistent cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious JavaScript by submitting crafted contact form data. Attackers can inject script code through the name, subject, and message parameters in POST requests to /gmusic/zuzconsole/___contact, which executes when administrators view messages in the inbox interface.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Zuz | Zuz Music | 2.1 | affected |
Weaknesses
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: partial
References
- https://www.exploit-db.com/exploits/46420
- https://zuz.host/
- https://codecanyon.net/item/zuz-music-advance-music-platform-system/21633476
- https://www.vulncheck.com/advisories/zuz-music-persistent-cross-site-scripting-via-zuzconsole-contact
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.