CVE-2023-53918
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-17

Last updated on: 2025-12-27

Assigner: VulnCheck

Description
PodcastGenerator 3.2.9 contains a stored cross-site scripting vulnerability in the episode title field accessible through the episodes upload interface (episodes_upload.php). Malicious JavaScript payloads injected into episode titles execute when administrators view the episodes list page (episodes_list.php).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-17
Last Modified
2025-12-27
Generated
2026-06-16
AI Q&A
2025-12-18
EPSS Evaluated
2026-06-15
NVD
CVE-2023-53918
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
podcastgenerator podcast_generator 3.2.9
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a stored cross-site scripting (XSS) issue in PodcastGenerator 3.2.9. It occurs in the episode title field via the episodes upload interface. An attacker can inject malicious JavaScript code into episode titles, which then executes when administrators view the episodes list page.

Impact Analysis

The vulnerability can allow attackers to execute malicious scripts in the context of the administrator's browser. This can lead to unauthorized actions, theft of sensitive information, or compromise of the administrator's session, potentially resulting in further system compromise.

Detection Guidance

This vulnerability can be detected by checking for the presence of malicious JavaScript payloads injected into the episode title field via the episodes upload interface (/admin/episodes_upload.php). One way to detect it is to review the episode titles stored in the system for suspicious script tags or event handlers such as <img src=1 onerror=alert('XSS-1')>. Additionally, monitoring HTTP POST requests to /admin/episodes_upload.php for multipart/form-data submissions containing suspicious payloads in the title field can help detect exploitation attempts. Commands to assist detection could include using curl or wget to fetch the episodes list page (/admin/episodes_list.php) and inspecting the HTML output for injected scripts, for example: curl -s -b cookies.txt https://yourdomain.com/admin/episodes_list.php | grep -i '<script\|onerror\|onload'. Also, reviewing server logs for POST requests to /admin/episodes_upload.php with suspicious payloads can be helpful. [2]

Mitigation Strategies

Immediate mitigation steps include restricting access to the admin interface to trusted users only, as exploitation requires admin panel access. Avoid uploading or accepting untrusted episode titles or content. Applying input validation and output encoding to sanitize the episode title field to prevent script injection is critical. If a patch or updated version of PodcastGenerator addressing this vulnerability is available, apply it promptly. As a temporary workaround, review and remove any suspicious or malicious episode titles from the database. Additionally, consider implementing Web Application Firewall (WAF) rules to block malicious payloads targeting the episode title field. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2023-53918. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart