PatchSiren cyber security CVE debrief
CVE-2019-25731 Zuz CVE debrief
CVE-2019-25731 is a persistent cross-site scripting vulnerability in Zuz Music 2.1. The vulnerability allows unauthenticated attackers to inject malicious JavaScript by submitting crafted contact form data. Attackers can inject script code through the name, subject, and message parameters in POST requests to /gmusic/zuzconsole/___contact, which executes when administrators view messages in the inbox interface. The CVSS score for this vulnerability is 5.3, with a severity rating of MEDIUM.
- Vendor
- Zuz
- Product
- Zuz Music
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-04
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-04
- Advisory updated
- 2026-06-10
Who should care
Administrators and users of Zuz Music 2.1 should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability is caused by inadequate input validation and sanitization of user-supplied data in the contact form. Attackers can exploit this vulnerability by submitting malicious data, which is then executed when administrators view the messages.
Defensive priority
MEDIUM
Recommended defensive actions
- Apply patches or updates to Zuz Music 2.1 to fix the vulnerability.
- Implement input validation and sanitization for user-supplied data in the contact form.
- Monitor the inbox interface for suspicious activity.
Evidence notes
The CVE record and NVD detail provide information on the vulnerability, including its CVSS score and severity rating.
Official resources
CVE-2019-25731 was published on 2019-04-09T00:00:00.000Z and modified on 2019-04-09T00:00:00.000Z.