PHP Melody v3.0 Persistent XSS Vulnerability in submitted Parameter

Critical Vulnerability Information Vulnerability Overview Vulnerability Name: PHP Melody v3.0 - (submitted) Persistent XSS Vulnerability Release Date: 2021-10-20 Vulnerability ID: 2292 CVSS Score: 5.6 Vulnerability Type: Persistent Cross-Site Scripting (XSS) Affected Product Vendor: PHPSUGAR Product: PHP Melody v3.0 - Video CMS (Web Application) Vulnerability Disclosure Timeline 2021-09-01: Researcher Notification & Coordination (Security Researcher) 2021-09-02: Vendor Notification (Security Department) 2021-09-04: Vendor Response/Feedback (Security Department) 2021-09-22: Vendor Fix/Patch (Development Team) 2021-09-22: Security Acknowledgment (Security Department) 2021-10-20: Public Disclosure (Vulnerability Lab) Vulnerability Details & Description Vulnerable Location: parameter in file Attack Method: Remote attackers can inject malicious script code into the parameter of via privileged editing user accounts Affected File: Risk: Successful exploitation may lead to session hijacking, persistent phishing attacks, external redirection to malicious sources, and continuous manipulation of application modules Authentication Type: Restricted Authentication (Admin Privileges) User Interaction: Low Interaction Proof of Concept (PoC) Website: PHP Melody Local Deployment ( ) Example Payload: - Log Example: The parameter in is exploited via HTTP POST method Remediation 1. Encode, escape, or filter parameters transmitted via POST method 2. Restrict all transmitted parameters by disallowing special characters 3. Eliminate dangerous outputs and negotiate output locations in 4. Implement security headers and Web Application Firewall (WAF) to prevent further exploitation and development

Goal Reached Thanks to every supporter — we hit 100%!

PHP Melody v3.0 Persistent XSS Vulnerability in submitted Parameter

More from this source