Lightweight Music Server Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Lightweight Music Server (LMS) versions through 3.76.0. This vulnerability allows attackers to execute arbitrary JavaScript by embedding malicious HTML into media file metadata tags such as GENRE, ARTIST, or ALBUM. Once a crafted media file is introduced into the victim's library, the malicious payload is saved during the library scanning process. The executed content is rendered in the web interface without proper sanitization, exploiting the vulnerability.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected media.

Reproduction

To reproduce this vulnerability, upload a media file with malicious HTML embedded in the metadata tags (such as GENRE, ARTIST, or ALBUM) into the victim's library. During the next library scan, the injected script will be executed automatically when the track's information is viewed or the file is played in the web interface.