PHP Melody Persistent Cross-Site Scripting Vulnerability in Video Editing Module

A persistent cross-site scripting vulnerability has been identified in PHP Melody version 3.0. The issue resides in the video editing module, specifically within the 'submitted' parameter of 'edit-video.php'. This vulnerability allows remote attackers with editor or moderator privileges to inject malicious scripts that are executed in the context of the user’s session. Exploitation could lead to session hijacking, persistent phishing attacks, and unauthorized manipulation of application modules.

Impact

Exploitation of this vulnerability allows for the injection of malicious scripts that are executed when the affected video is viewed. This could lead to session hijacking, allowing an attacker to impersonate the victim, and could be used to conduct persistent phishing attacks or manipulate other application modules.

Reproduction

To reproduce this vulnerability, log into PHP Melody as a user with editor or moderator privileges. Navigate to the video editing page and inject a script into the 'submitted' parameter. Once the video is saved, the injected script will be executed when the video is watched.

Remediation

Users are advised to update to the patched version of PHP Melody 3.0, available in the customer account under the 'Download Updates' page.