CVE-2021-47914
Unknown Unknown - Not Provided
Persistent XSS in PHP Melody 3.0 edit-video.php Allows Hijacking

Publication date: 2026-02-01

Last updated on: 2026-02-11

Assigner: VulnCheck

Description
PHP Melody version 3.0 contains a persistent cross-site scripting vulnerability in the edit-video.php submitted parameter that allows remote attackers to inject malicious script code. Attackers can exploit this vulnerability to execute arbitrary JavaScript, potentially leading to session hijacking, persistent phishing, and manipulation of application modules.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-01
Last Modified
2026-02-11
Generated
2026-06-16
AI Q&A
2026-02-01
EPSS Evaluated
2026-06-14
NVD
CVE-2021-47914
EUVD
EUVD-2021-34757
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
phpsugar php_melody 3.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2021-47914 is a persistent cross-site scripting (XSS) vulnerability in PHP Melody version 3.0. It exists in the 'submitted' parameter of the 'edit-video.php' script, which does not properly neutralize input. This allows remote attackers with certain privileges (such as editors or moderators) to inject malicious JavaScript code that is stored persistently. When the affected video page is viewed (via 'watch.php'), the malicious script executes, enabling attacks like session hijacking, persistent phishing, and manipulation of application modules. [1, 2]

Impact Analysis

This vulnerability can lead to several security impacts including session hijacking, where attackers can steal user sessions; persistent phishing by injecting malicious content that deceives users; external redirects to malicious sites; and manipulation of application modules, potentially compromising the integrity and functionality of the application. [1, 2]

Detection Guidance

This vulnerability can be detected by monitoring POST requests to the 'edit-video.php' script, specifically looking for suspicious or malicious input in the 'submitted' parameter. Detection can involve inspecting HTTP traffic for payloads attempting to inject JavaScript code. While no specific commands are provided, using tools like curl or Burp Suite to send crafted POST requests to 'edit-video.php' and observing if the injected script executes when accessing 'watch.php' can help confirm the vulnerability. Additionally, web application firewalls (WAFs) can be configured to detect and block such malicious inputs. [2]

Mitigation Strategies

Immediate mitigation steps include: 1) Encoding, escaping, or filtering the 'submitted' parameter in POST requests to prevent script injection; 2) Restricting transmitted parameters by disallowing special characters; 3) Sanitizing output in 'watch.php' to block execution of injected scripts; 4) Implementing security headers and deploying web application firewalls to prevent exploitation. Applying the vendor's patch released on September 22, 2021, is also critical to fully remediate the vulnerability. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2021-47914. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart