Dewank Pant

**Name of the Vulnerable Software and Affected Versions** Logitech Media Server version 7.9.0 **Description** The issue is related to a Cross-site scripting (XSS) vulnerability that allows remote attackers to inject arbitrary web script or HTML via a `favorite`. This vulnerability can lead to Session Hijacking and Credential Theft, Execution of unauthorized actions on behalf of users, and Exfiltration of sensitive data. It presents a potential risk for widespread exploitation in connected IoT environments. **Recommendations** For Logitech Media Server version 7.9.0, consider disabling the `Favorites` feature until a patch is available to prevent the injection and permanent storage of malicious JavaScript payloads. Restrict access to the affected functionality to minimize the risk of exploitation. Avoid using the `favorite` feature in the affected version until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Logitech Media Server version 7.9.0 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via a radio URL, leading to persistent cross-site scripting (XSS) attacks. This enables attackers to inject malicious JavaScript payloads that become permanently stored on the server and execute when a user plays the compromised radio stream. Exploitation can result in session hijacking, unauthorized access, persistent manipulation of web content, and phishing or malicious redirects to external domains. The vulnerability can manipulate media server behavior in enterprise and home network environments. **Recommendations** For Logitech Media Server version 7.9.0, consider disabling the "Radio" functionality as a temporary workaround until a patch is available. Restrict access to the radio URL to minimize the risk of exploitation. Avoid using the radio URL in the application until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.