CVE-2021-47912
Multiple XSS Vulnerabilities in PHP Melody 3.0 Enable Session Hijacking
Publication date: 2026-02-01
Last updated on: 2026-02-12
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| phpsugar | php_melody | 3.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2021-47912 is a set of multiple non-persistent (reflected) cross-site scripting (XSS) vulnerabilities in PHP Melody version 3.0. These vulnerabilities occur in the categories, import, and user import files, where unvalidated GET request parameters allow attackers to inject malicious scripts. When these scripts are executed in a victim's browser, attackers can perform client-side attacks such as session hijacking. The injection happens through unsanitized parameters like 'moved', 'username', and 'keyword', which are reflected in status or error messages in the admin panel UI. [1, 2]
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to session hijacking, phishing attacks, unauthorized manipulation of the CMS application modules, and redirection to malicious external sites. Attackers can execute arbitrary JavaScript in the victim's browser, potentially compromising user sessions and sensitive data. The vulnerability requires low attack complexity and limited privileges but no authentication is needed, making it a significant risk especially for users with elevated permissions such as admins or editors. [1, 2, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the vulnerable PHP Melody admin interface URLs for reflected XSS via the specified GET parameters. You can attempt to inject typical XSS payloads into the parameters `moved` (in categories.php), `username` (in import-user.php), and `keyword` (in import.php) and observe if the payload is reflected and executed in the browser. Example URLs to test include: - https://yourdomain/admin/categories.php?type=genre&id=1&moved=""><iframe src=a onload=alert(document.cookie)> - https://yourdomain/admin/import-user.php?action=search&username=""><iframe src=evil.source onload=alert(document.cookie)> - https://yourdomain/admin/import.php?action=search&keyword=""><iframe src=evil.source onload=alert(document.cookie)> You can use curl commands to send these requests and then manually check the responses in a browser or use automated tools like OWASP ZAP or Burp Suite to detect reflected XSS. For example: curl -i "https://yourdomain/admin/categories.php?type=genre&id=1&moved=%22%3E%3Ciframe%20src=a%20onload=alert(document.cookie)%3E" If the payload is reflected unescaped in the response, the vulnerability exists. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1. Apply the official patch released on September 22, 2021, which fixes the XSS vulnerabilities. 2. Encode, escape, or filter the vulnerable GET parameters (`moved`, `username`, `keyword`) to prevent script injection. 3. Restrict transmitted parameters by disallowing special characters that can be used for script injection. 4. Sanitize status and error message outputs in the admin interface to prevent execution of injected scripts. 5. Optionally, implement security headers (such as Content Security Policy) and deploy a web application firewall (WAF) to block exploitation attempts. 6. Limit access to the admin panel to trusted users and networks to reduce risk. Applying the patch is strongly advised as the primary fix. [2, 4]