← back
CVE-2019-25731

Zuz Music 2.1 Persistent Cross-site Scripting via zuzconsole Contact

CVSS 5.3 MEDIUMEPSS 0.2%CWE-79
Zuz Music 2.1 contains a persistent cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious JavaScript by submitting crafted contact form data. Attackers can inject script code through the name, subject, and message parameters in POST requests to /gmusic/zuzconsole/___contact, which executes when administrators view messages in the inbox interface.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Affected products
Zuz · Zuz Music
public PoCs found1
cve_referencewww.exploit-db.com/exploits/46420unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://codecanyon.net/item/zuz-music-advance-music-platform-system/21633476https://www.exploit-db.com/exploits/46420https://www.vulncheck.com/advisories/zuz-music-persistent-cross-site-scripting-via-zuzconsole-contacthttps://zuz.host/