PodcastGenerator Stored Cross-Site Scripting Vulnerability in Episode Title Field

A stored cross-site scripting vulnerability has been identified in PodcastGenerator version 3.2.9. This issue resides in the episode title field within the episodes upload interface. Malicious JavaScript injected into the episode titles is executed when administrators access the episodes list page.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the episodes list.

Reproduction

To reproduce this vulnerability, upload a new episode through the episodes upload interface. Inject a script payload into the title section, such as an image tag with an 'onerror' event. After uploading, the injected script will execute when the episodes list page is viewed. This vulnerability can also be reproduced by injecting scripts into the Freebox content customization section or the podcast details section, which will execute when the homepage is accessed.