MEDIUM 6.1

CVE-2019-25731: Stored XSS in Zuz Music 2.1 Contact Form

Zuz Music version 2.1 has a flaw that lets anyone send malicious code through the contact form without needing to log in. When site administrators read these messages, the injected code runs in their browsers, potentially allowing attackers to steal session data, modify settings, or trick them into performing unwanted actions. This is a persistent vulnerability, meaning the malicious payload stays stored on the server and affects every admin who views the inbox.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.1 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
0 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Zuz Music 2.1 contains a persistent cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious JavaScript by submitting crafted contact form data. Attackers can inject script code through the name, subject, and message parameters in POST requests to /gmusic/zuzconsole/___contact, which executes when administrators view messages in the inbox interface.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2019-25731 is a stored cross-site scripting (XSS) vulnerability in Zuz Music 2.1's contact form handler at the endpoint /gmusic/zuzconsole/___contact. The vulnerability stems from insufficient input validation and output encoding on the name, subject, and message POST parameters. An unauthenticated attacker can craft a request containing JavaScript payloads in any of these fields; the application stores these payloads without sanitization. When an administrator accesses the inbox to review contact submissions, the stored script executes within the administrator's browser context with the same privileges and session rights, enabling unauthorized actions within the application's scope.

Business impact

This vulnerability directly threatens administrative operations and data security. Attackers can exploit administrator sessions to alter account settings, modify application configurations, access sensitive customer or system data, or escalate privileges. The attack requires no special access—an attacker can send a crafted contact form from anywhere on the internet. The persistent nature means the malicious payload remains active until manually removed, potentially affecting multiple administrators over time. Organizations relying on Zuz Music for contact management face ongoing risk until the vulnerability is patched.

Affected systems

Zuz Music version 2.1 is affected. The vulnerability exists in the contact form processing logic accessible at /gmusic/zuzconsole/___contact. Any installation of this version is vulnerable to exploitation via unauthenticated POST requests. Earlier or later versions of Zuz Music may or may not be affected; verify your specific version against vendor advisories.

Exploitability

This vulnerability has a low complexity attack surface. No special tools, authentication, or user interaction on the attacker's side is required—an attacker simply needs to craft a POST request with malicious JavaScript in the form fields. However, the vulnerability does require administrator interaction: a victim (administrator) must view the injected message for the payload to execute. The attack succeeds in current and future sessions until the message is deleted. The network-accessible nature and lack of authentication requirements keep the barrier to exploitation very low.

Remediation

The primary remediation is to upgrade Zuz Music to a patched version that properly sanitizes and encodes user input from contact forms. In the interim, apply input validation to reject or neutralize script tags and JavaScript protocols in the name, subject, and message fields. Configure Content Security Policy (CSP) headers to restrict inline script execution. Additionally, review the inbox for any suspicious contact submissions and delete them to prevent payload execution during administrative access.

Patch guidance

Contact the Zuz Music vendor or check their official release notes for patched versions addressing this XSS vulnerability. Apply the patch to all Zuz Music installations in your environment. Verify the patch by confirming that the application properly escapes HTML special characters and sanitizes user input before storage. Test the contact form with known XSS payloads (e.g., <script>alert('XSS')</script>) to confirm they are no longer executed when viewed by administrators.

Detection guidance

Monitor HTTP POST requests to /gmusic/zuzconsole/___contact for payloads containing script tags, event handlers (onclick, onerror, etc.), or JavaScript protocol handlers. Examine stored contact form data in the application database for unusual or suspicious entries containing HTML or JavaScript syntax. Review administrator access logs and browser console logs for unexpected script execution or errors when accessing the inbox interface. Implement Web Application Firewall (WAF) rules to block or flag contact submissions containing encoded or obfuscated JavaScript patterns.

Why prioritize this

This vulnerability merits prompt attention despite its MEDIUM CVSS score. The attack surface is broad (unauthenticated, network-accessible), the attack vector is simple, and compromise of administrator accounts can lead to lateral movement, data theft, or further system compromise. The persistent nature amplifies risk—a single injection affects all subsequent administrator interactions. Organizations should prioritize patching within their normal maintenance windows, particularly if their Zuz Music instance handles sensitive customer or operational data.

Risk score, explained

The CVSS 3.1 score of 6.1 (MEDIUM) reflects several factors: network accessibility with no authentication (AV:N, PR:N) and low attack complexity (AC:L) increase the base score. However, the requirement for administrator interaction (UI:R) and the scope of impact being limited to confidentiality and integrity (C:L, I:L) without availability impact (A:N) moderate the severity. The cross-origin nature (S:C) extends potential impact slightly. The score appropriately captures that while exploitation is straightforward, real-world impact depends on what attackers can accomplish with compromised administrator sessions and whether sensitive data or systems are at stake in your environment.

Frequently asked questions

Can this vulnerability be exploited if my Zuz Music instance is not accessible from the internet?

No—the vulnerability requires network access to the contact form endpoint. If your instance is behind a firewall or restricted to internal-only access, external attackers cannot send the malicious contact forms. However, internal threats or compromised internal systems could still exploit it. Patching remains recommended regardless.

What if we delete suspicious contact messages—does that stop the vulnerability?

Deleting messages removes the stored payload and stops it from executing for future admin access. However, this is a temporary mitigation, not a fix. The vulnerability itself remains present, and new attacks can be submitted at any time. Patch the application to prevent the root cause.

How would an attacker use a compromised administrator session?

An attacker could modify application settings, change other administrator credentials, access customer data submitted through the contact form, or perform any action the compromised administrator is authorized to perform. This could include exfiltrating sensitive information, defacing the application, or establishing persistence.

Does upgrading Zuz Music automatically clean up old malicious contact entries?

Patching prevents new injections but does not automatically sanitize or remove existing malicious payloads from the database. After upgrading, manually review and delete any suspicious contact submissions from the inbox to eliminate stored attack vectors.

This analysis is provided for informational purposes to support vulnerability management and security decision-making. The information is based on available public data and vendor disclosures as of the publication date. We make no guarantees regarding the completeness, accuracy, or applicability of this information to your specific environment. Always verify compatibility and functionality of patches in a test environment before deploying to production. Consult the official Zuz Music vendor advisory for authoritative guidance on affected versions, patch availability, and remediation steps. Organizations should conduct their own risk assessment based on their specific deployment, data sensitivity, and threat landscape. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).