📄 Description (English)
Lightweight Music Server (LMS) though 3.76.0 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary JavaScript by embedding malicious HTML in media file metadata tags such as GENRE, ARTIST, or ALBUM. Attackers can introduce a crafted media file into the victim's library, causing the payload to be saved during library scanning and executed automatically in the web interface due to tag content being rendered using Wt::TextFormat::UnsafeXHTML without sanitization in src/lms/ui/Utils.cpp.
🤖 AI Executive Summary
Lightweight Music Server (LMS) versions through 3.76.0 contain a stored cross-site scripting (XSS) vulnerability in media file metadata handling. Attackers can inject malicious JavaScript through GENRE, ARTIST, or ALBUM tags in crafted media files, which executes automatically when the library is scanned and viewed in the web interface. This vulnerability poses a moderate risk to organizations using LMS for internal media management, particularly those with shared library access.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Jun 1, 2026 18:55
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations using LMS for internal media management, particularly in government agencies, educational institutions, and corporate environments with shared media libraries, face moderate risk. The vulnerability could enable unauthorized access to user sessions, credential theft, or malware distribution within internal networks. Organizations in the media and entertainment sector, as well as those managing digital archives, are most vulnerable. The lack of available patches increases exposure duration for affected deployments.
🏢 Affected Saudi Sectors
Government Agencies
Educational Institutions
Media and Entertainment
Corporate/Enterprise
Digital Archives and Libraries
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
5.8
/ 10.0
🔧 Remediation Steps (English)
Immediate Actions:
1. Audit all LMS instances in your environment and document versions running 3.76.0 or earlier
2. Restrict access to LMS web interface to trusted internal networks only using firewall rules
3. Implement Content Security Policy (CSP) headers to prevent inline script execution
4. Review media library for suspicious files with unusual metadata tags
Compensating Controls:
1. Deploy Web Application Firewall (WAF) rules to detect and block XSS payloads in HTTP requests
2. Enable browser security extensions that block XSS attacks for users accessing LMS
3. Implement input validation at the application level to sanitize metadata before rendering
4. Use HTML entity encoding for all metadata display in templates
5. Monitor LMS logs for suspicious metadata patterns or failed parsing attempts
Detection Rules:
1. Alert on media files with script tags or event handlers in GENRE, ARTIST, ALBUM fields
2. Monitor for unusual characters (< > " ' ;) in metadata tags during library scans
3. Track access to LMS web interface from unexpected IP ranges
4. Log all file uploads and metadata modifications
Long-term:
1. Monitor vendor security advisories for patch availability
2. Plan migration to alternative music server solutions if patches remain unavailable
3. Implement regular security assessments of LMS deployments
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تدقيق جميع مثيلات LMS في بيئتك وتوثيق الإصدارات التي تعمل بالإصدار 3.76.0 أو أقدم
2. تقييد الوصول إلى واجهة الويب LMS على الشبكات الداخلية الموثوقة فقط باستخدام قواعد جدار الحماية
3. تنفيذ رؤوس سياسة أمان المحتوى (CSP) لمنع تنفيذ البرامج النصية المضمنة
4. مراجعة مكتبة الوسائط بحثاً عن ملفات مريبة بها علامات بيانات غير عادية
الضوابط التعويضية:
1. نشر قواعد جدار تطبيقات الويب (WAF) للكشف عن حقن XSS وحظره
2. تفعيل امتدادات أمان المتصفح التي تحظر هجمات XSS للمستخدمين
3. تنفيذ التحقق من الإدخال على مستوى التطبيق لتنظيف البيانات الوصفية
4. استخدام ترميز كيانات HTML لجميع عروض البيانات الوصفية
5. مراقبة سجلات LMS للأنماط المريبة أو محاولات الفحص الفاشلة
قواعد الكشف:
1. تنبيهات على ملفات الوسائط التي تحتوي على علامات البرامج النصية في حقول البيانات الوصفية
2. مراقبة الأحرف غير العادية في علامات البيانات الوصفية أثناء مسح المكتبة
3. تتبع الوصول إلى واجهة الويب من نطاقات IP غير متوقعة
4. تسجيل جميع عمليات التحميل وتعديلات البيانات الوصفية
المدى الطويل:
1. مراقبة إشعارات أمان البائع لتوفر التصحيحات
2. التخطيط للهجرة إلى حلول خادم موسيقى بديلة إذا ظلت التصحيحات غير متاحة
3. تنفيذ تقييمات أمان منتظمة لنشرات LMS
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.14.2.1 - Secure development policy and procedures
A.14.2.5 - Secure development environment
A.14.3.1 - Testing of security functionality
A.14.3.2 - System change control procedures
🔵 SAMA CSF
ID.SC-4 - Supply chain processes are managed
PR.DS-1 - Data security and privacy procedures
DE.CM-1 - The network is monitored for unauthorized connections
🟡 ISO 27001:2022
A.14.2.1 - Secure development policy
A.14.2.5 - Secure development environment
A.14.3.1 - Security testing
A.12.6.1 - Management of technical vulnerabilities
🔗 References & Sources 4
🔗
🔗
🔗
🔗
https://github.com/epoupon/lms/issues/844
disclosure@vulncheck.com
https://github.com/epoupon/lms/milestone/94
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/lightweight-music-server-stored-xss-via-media-file...
disclosure@vulncheck.com
https://www.zeroscience.mk/#/advisories/ZSL-2026-5987
disclosure@vulncheck.com