CVE Catalog

CVE-2019-25731

MediumCVSS 6.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.09%

25th percentile - higher than 25% of all known CVEs

Summary

Zuz Music 2.1 contains a persistent cross-site scripting (XSS) vulnerability that allows unauthenticated attackers to inject malicious JavaScript by submitting crafted contact form data. Attackers can inject script code through the name, subject, and message parameters in POST requests to /gmusic/zuzconsole/___contact.

Risk Assessment

Attackers can exploit this vulnerability to execute malicious code in the context of the administrators' browser, potentially leading to data theft or account takeover. This poses a serious threat to the security of the system and the organization's data.

Recommendation

It is recommended to update Zuz Music to the latest version that addresses this vulnerability. Additionally, input validation and sanitization should be implemented for contact form data.

Original NVD description (English source)

Zuz Music 2.1 contains a persistent cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious JavaScript by submitting crafted contact form data. Attackers can inject script code through the name, subject, and message parameters in POST requests to /gmusic/zuzconsole/___contact, which executes when administrators view messages in the inbox interface.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS