CVE-2019-25731

Vulnerability

Zuz Music version 2.1 contains a persistent cross-site scripting (XSS) vulnerability. Unauthenticated attackers can inject malicious JavaScript code by submitting crafted data through the contact form. The vulnerability exists in the name, subject, and message parameters within POST requests sent to /gmusic/zuzconsole/___contact [1].

Exploitation

An unauthenticated attacker can exploit this vulnerability by sending crafted POST requests to the /gmusic/zuzconsole/___contact endpoint. The malicious script is injected through the name, subject, or message fields. The injected script will execute when an administrator views the submitted messages within the inbox interface of the zuzconsole [1].

Impact

Successful exploitation of this vulnerability allows an attacker to execute arbitrary JavaScript code in the context of an administrator's browser session. This can lead to session hijacking, unauthorized actions performed on behalf of the administrator, or further compromise of the application or underlying system, depending on the administrator's privileges and the injected script [1].

Mitigation

Zuz Music version 2.1 is affected by this vulnerability. Information regarding a fixed version or specific mitigation steps is not yet disclosed in the available references. Users are advised to consult vendor advisories for potential patches or workarounds [1].