CVE-2019-25731

MEDIUM

Zuz Music 2.1 Persistent Cross-site Scripting via zuzconsole Contact

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-25731. PoCs published by Deyaa Muhammad.

AI-analyzed exploit summary This exploit demonstrates a persistent XSS vulnerability in Zuz Music 2.1 by injecting malicious JavaScript into the 'name', 'subject', and 'message' parameters of the contact form. The payload is executed when an administrator views the message in the admin inbox.

Description

Zuz Music 2.1 contains a persistent cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious JavaScript by submitting crafted contact form data. Attackers can inject script code through the name, subject, and message parameters in POST requests to /gmusic/zuzconsole/___contact, which executes when administrators view messages in the inbox interface.

Exploits (1)

exploitdb WORKING POC
by Deyaa Muhammad · textwebappsphp
https://www.exploit-db.com/exploits/46420

This exploit demonstrates a persistent XSS vulnerability in Zuz Music 2.1 by injecting malicious JavaScript into the 'name', 'subject', and 'message' parameters of the contact form. The payload is executed when an administrator views the message in the admin inbox.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Zuz Music 2.1
No auth needed
Prerequisites: Access to the contact form endpoint
devstral-2 · analyzed Jun 04, 2026 Full analysis →

References (4)

Core 4
Core References
Exploit exploit
ExploitDB-46420
https://www.exploit-db.com/exploits/46420
Product product
Official Product Homepage
https://zuz.host/
Third Party Advisory third-party-advisory
VulnCheck Advisory: Zuz Music 2.1 Persistent Cross-site Scripting via zuzconsole Contact
https://www.vulncheck.com/advisories/zuz-music-persistent-cross-site-scripting-via-zuzconsole-contact

Scores

CVSS v3 6.1
EPSS 0.0009
EPSS Percentile 25.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
Zuz/Zuz Music 2.1
Published Jun 04, 2026
Tracked Since Jun 04, 2026