Lyrion Music Server (formerly Logitech Media Server, and often abbreviated as "LMS" ) is open-source software which can control and serve (stream) music to a wide range of physical and virtual audio players called Squeezeboxes. Lyrion Music Server can stream your local music collection, internet radio stations, and content from many streaming services (with and without subscriptions).
Lyrion Music Server stores media file metadata tags (such as GENRE, ARTIST, and ALBUM) exactly as written in the file and later renders them in its web interface without HTML-encoding, resulting in stored cross-site scripting. An attacker who gets a file with a malicious tag into the victim's library has their payload saved during the next library scan and executed automatically whenever a user views that track's information or plays the file in the web UI. Because LMS is unauthenticated by default, the injected script runs with full access to the management interface, allowing admin commands, settings disclosure, and further exploitation.