CVE-2019-25731
MediumCVSS 6.1Exploitation Probability (EPSS)
Low risk25th percentile - higher than 25% of all known CVEs
Summary
Zuz Music 2.1 contains a persistent cross-site scripting (XSS) vulnerability that allows unauthenticated attackers to inject malicious JavaScript by submitting crafted contact form data. Attackers can inject script code through the name, subject, and message parameters in POST requests to /gmusic/zuzconsole/___contact.
Risk Assessment
Attackers can exploit this vulnerability to execute malicious code in the context of the administrators' browser, potentially leading to data theft or account takeover. This poses a serious threat to the security of the system and the organization's data.
Recommendation
It is recommended to update Zuz Music to the latest version that addresses this vulnerability. Additionally, input validation and sanitization should be implemented for contact form data.
Original NVD description (English source)
Zuz Music 2.1 contains a persistent cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious JavaScript by submitting crafted contact form data. Attackers can inject script code through the name, subject, and message parameters in POST requests to /gmusic/zuzconsole/___contact, which executes when administrators view messages in the inbox interface.

