Impact
A cross‑site scripting flaw has been identified in the Feedback.php POST request handler of the Online Music Site. By inserting malicious script content into the fname, femail, faddress or fmessage fields, an attacker can make a victim’s browser execute arbitrary JavaScript when viewing the feedback page. The flaw does not expose system credentials but can compromise the confidentiality and integrity of the web application by stealing session data, defacing content or redirecting users to malicious sites.
Affected Systems
The vulnerability affects code-projects Online Music Site version 1.0, specifically the Frontend/Feedback.php component that processes POST requests.
Risk and Exploitability
The CVSS score of 5.3 indicates a moderate severity. Although the EPSS score is not available, the public release of the exploit and the fact that the attack can be launched remotely suggest that exploitation is plausible. The vulnerability is not listed in CISA’s KEV catalog, but because it is publicly known and can harm users, patching should be treated as a high‑priority action. The attack vector is remote and requires only a crafted HTTP POST request to the feedback endpoint, making it potentially reachable from any network that can reach the site.
OpenCVE Enrichment