PHP Melody Persistent Cross-Site Scripting Vulnerability in Video Editor

A persistent cross-site scripting vulnerability has been identified in PHP Melody version 3.0. This issue resides within the video editor, specifically in the WYSIWYG editor powered by TinyMCE. The vulnerability allows users with editor or admin privileges to inject malicious scripts that are saved in the database and executed when other users or administrators access the edited content. Exploitation of this vulnerability could lead to session hijacking and unauthorized manipulation of the application.

Impact

Exploitation of this vulnerability allows for persistent cross-site scripting, where injected scripts are executed in the context of the user viewing the content. This could lead to session hijacking and manipulation of the application.

Reproduction

To reproduce this vulnerability, log into PHP Melody 3.0 with an account that has editor or admin privileges. Navigate to the video editor and inject a script into the description field using the WYSIWYG editor. Once the script is injected, save the changes. The injected script will be executed when the content is viewed by other users or administrators.

Remediation

Users are advised to update to the latest version of PHP Melody, where this vulnerability has been patched. The update is available in the customer account under the 'Download Updates' page.