CVE-2019-25731 | THREATINT

Description

Zuz Music 2.1 contains a persistent cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious JavaScript by submitting crafted contact form data. Attackers can inject script code through the name, subject, and message parameters in POST requests to /gmusic/zuzconsole/___contact, which executes when administrators view messages in the inbox interface.

PUBLISHED Reserved 2026-06-04 | Published 2026-06-04 | Updated 2026-06-05 | Assigner VulnCheck

MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

HIGH: 7.2CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Problem types

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

2.1

affected

Credits

Deyaa Muhammad finder

References

www.exploit-db.com/exploits/46420 (ExploitDB-46420) exploit

zuz.host/ (Official Product Homepage) product

codecanyon.net/...sic-advance-music-platform-system/21633476 (Product Reference) product

www.vulncheck.com/...s-site-scripting-via-zuzconsole-contact (VulnCheck Advisory: Zuz Music 2.1 Persistent Cross-site Scripting via zuzconsole Contact) third-party-advisory

cve.org (CVE-2019-25731)

nvd.nist.gov (CVE-2019-25731)

Download JSON