Login Sign Up

CVE-2023-53919

5.4 MEDIUM
Cross-Site Scripting

📋 TL;DR

PodcastGenerator 3.2.9 contains a stored cross-site scripting vulnerability in the Freebox content field. Attackers can inject malicious JavaScript that executes when users visit the application's home page, potentially stealing session cookies or performing unauthorized actions. All PodcastGenerator 3.2.9 installations with theme customization enabled are affected.

💻 Affected Systems

Products:
  • PodcastGenerator
Versions: 3.2.9
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires access to theme customization interface (typically admin access).

📦 What is this software?

Podcast Generator by Podcastgenerator

View all CVEs affecting Podcast Generator →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal administrator session cookies, gain full administrative access, deface the website, or deploy malware to visitors.

🟠

Likely Case

Session hijacking of logged-in users, credential theft, or defacement of the home page.

🟢

If Mitigated

Limited impact if input validation and output encoding are implemented, though stored XSS remains dangerous.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires admin credentials to access theme_freebox.php. Public exploit code is available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.2.10 or later

Vendor Advisory: https://podcastgenerator.net/

Restart Required: No

Instructions:

1. Backup your current installation. 2. Download the latest version from podcastgenerator.net. 3. Replace all files except the 'episodes' and 'images' directories. 4. Verify theme_freebox.php has proper input sanitization.

🔧 Temporary Workarounds

Disable Freebox Content Field

all

Remove or disable the Freebox content field in theme customization to prevent injection.

Edit theme_freebox.php and comment out or remove the vulnerable input field.

Implement Input Validation

all

Add server-side validation to sanitize Freebox content input.

Add htmlspecialchars() or similar filtering to the Freebox content processing code in theme_freebox.php.

🧯 If You Can't Patch

  • Restrict admin access to trusted IP addresses only.
  • Implement a Web Application Firewall (WAF) with XSS protection rules.

🔍 How to Verify

Check if Vulnerable:

Check if PodcastGenerator version is 3.2.9 and review theme_freebox.php for lack of input sanitization.

Check Version:

Check the version.txt file in the PodcastGenerator root directory or view the admin dashboard.

Verify Fix Applied:

After patching, test by attempting to inject JavaScript into the Freebox content field and verify it doesn't execute.

📡 Detection & Monitoring

Log Indicators:

  • Unusual admin login attempts
  • Modifications to theme_freebox.php or related files

Network Indicators:

  • Suspicious JavaScript payloads in HTTP POST requests to theme_freebox.php

SIEM Query:

source="web_logs" AND (uri="/theme_freebox.php" AND method="POST" AND (body CONTAINS "<script>" OR body CONTAINS "javascript:"))

📊 Metadata

CVE ID: CVE-2023-53919
CVSS v3 Score: 5.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
EPSS Score: 0.03% exploit probability (8.2th percentile)
Published: December 17, 2025
Last Updated: December 27, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-53919, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)