The ericzane Floating Window Music Player contains a CSRF vulnerability that enables stored XSS attacks. This affects all versions up to and including 3.4.2. The vulnerability allows remote attackers to trick authenticated users into executing unwanted actions, which can result in stored malicious scripts being injected and executed in the context of the application. The CVSS 3.1 base score is 7.1, reflecting network attack vector, low attack complexity, no privileges required, user interaction required, and impacts to confidentiality, integrity, and availability. No official patch or vendor advisory is currently available, and the product is not a cloud service.

Successful exploitation can lead to stored XSS, allowing attackers to execute malicious scripts in the context of the victim's session, potentially compromising user data and application integrity. The CSRF aspect means attackers can induce authenticated users to perform unintended actions, increasing the risk of unauthorized changes or data exposure. The vulnerability impacts confidentiality, integrity, and availability to a limited extent as per the CVSS vector.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, users should consider disabling or restricting use of the affected Floating Window Music Player versions. Employing web application firewalls or CSRF protection mechanisms may help mitigate risk. Monitor official ericzane channels for updates and patches.