CVE-2025-10340 (GCVE-0-2025-10340)

Vulnerability from cvelistv5 – Published: 2025-09-13 02:32 – Updated: 2025-09-15 15:49
VLAI?
Title
WhatCD Gazelle Commit Message change_log.php cross site scripting
Summary
A vulnerability was determined in WhatCD Gazelle up to 63b337026d49b5cf63ce4be20fdabdc880112fa3. The affected element is an unknown function of the file /sections/tools/managers/change_log.php of the component Commit Message Handler. Executing manipulation of the argument Message can lead to cross site scripting. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed.
Severity ?
5.1 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
3.5 (Low)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R
3.5 (Low)
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R
CWE
Assigner
References
Impacted products
Vendor Product Version
WhatCD Gazelle Affected: 63b337026d49b5cf63ce4be20fdabdc880112fa3
Create a notification for this product.
Credits
XU-17 (VulDB User)
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-10340",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-09-15T15:48:57.508408Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-09-15T15:49:02.243Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/YZS17/CVE/blob/main/Gazelle/xss1.md"
          },
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/YZS17/CVE/blob/main/Gazelle/xss1.md#poc"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "modules": [
            "Commit Message Handler"
          ],
          "product": "Gazelle",
          "vendor": "WhatCD",
          "versions": [
            {
              "status": "affected",
              "version": "63b337026d49b5cf63ce4be20fdabdc880112fa3"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "XU-17 (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was determined in WhatCD Gazelle up to 63b337026d49b5cf63ce4be20fdabdc880112fa3. The affected element is an unknown function of the file /sections/tools/managers/change_log.php of the component Commit Message Handler. Executing manipulation of the argument Message can lead to cross site scripting. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed."
        },
        {
          "lang": "de",
          "value": "In WhatCD Gazelle bis 63b337026d49b5cf63ce4be20fdabdc880112fa3 ist eine Schwachstelle entdeckt worden. Es geht hierbei um eine nicht n\u00e4her spezifizierte Funktion der Datei /sections/tools/managers/change_log.php der Komponente Commit Message Handler. Durch das Beeinflussen des Arguments Message mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Die Ausnutzung wurde ver\u00f6ffentlicht und kann verwendet werden. F\u00fcr dieses Produkt wird ein Rolling-Release-Ansatz verwendet, wodurch eine st\u00e4ndige Bereitstellung erfolgt. Daher sind keine Versionsdetails zu betroffenen oder aktualisierten Versionen vorhanden."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 5.1,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 3.5,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 3.5,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 4,
            "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "Cross Site Scripting",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "Code Injection",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-13T02:32:05.307Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-323759 | WhatCD Gazelle Commit Message change_log.php cross site scripting",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.323759"
        },
        {
          "name": "VDB-323759 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.323759"
        },
        {
          "name": "Submit #643534 | WhatCD Gazelle latest latest /commit 63b3370",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.643534"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://github.com/YZS17/CVE/blob/main/Gazelle/xss1.md"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://github.com/YZS17/CVE/blob/main/Gazelle/xss1.md#poc"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-09-12T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2025-09-12T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2025-09-12T11:05:39.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "WhatCD Gazelle Commit Message change_log.php cross site scripting"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2025-10340",
    "datePublished": "2025-09-13T02:32:05.307Z",
    "dateReserved": "2025-09-12T09:00:36.415Z",
    "dateUpdated": "2025-09-15T15:49:02.243Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-10340\",\"sourceIdentifier\":\"cna@vuldb.com\",\"published\":\"2025-09-13T03:15:39.550\",\"lastModified\":\"2025-09-15T16:15:34.807\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A vulnerability was determined in WhatCD Gazelle up to 63b337026d49b5cf63ce4be20fdabdc880112fa3. The affected element is an unknown function of the file /sections/tools/managers/change_log.php of the component Commit Message Handler. Executing manipulation of the argument Message can lead to cross site scripting. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":5.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"PASSIVE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"PROOF_OF_CONCEPT\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N\",\"baseScore\":3.5,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.1,\"impactScore\":1.4}],\"cvssMetricV2\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:N/I:P/A:N\",\"baseScore\":4.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"},{\"lang\":\"en\",\"value\":\"CWE-94\"}]}],\"references\":[{\"url\":\"https://github.com/YZS17/CVE/blob/main/Gazelle/xss1.md\",\"source\":\"cna@vuldb.com\"},{\"url\":\"https://github.com/YZS17/CVE/blob/main/Gazelle/xss1.md#poc\",\"source\":\"cna@vuldb.com\"},{\"url\":\"https://vuldb.com/?ctiid.323759\",\"source\":\"cna@vuldb.com\"},{\"url\":\"https://vuldb.com/?id.323759\",\"source\":\"cna@vuldb.com\"},{\"url\":\"https://vuldb.com/?submit.643534\",\"source\":\"cna@vuldb.com\"},{\"url\":\"https://github.com/YZS17/CVE/blob/main/Gazelle/xss1.md\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"},{\"url\":\"https://github.com/YZS17/CVE/blob/main/Gazelle/xss1.md#poc\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-10340\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-09-15T15:48:57.508408Z\"}}}], \"references\": [{\"url\": \"https://github.com/YZS17/CVE/blob/main/Gazelle/xss1.md\", \"tags\": [\"exploit\"]}, {\"url\": \"https://github.com/YZS17/CVE/blob/main/Gazelle/xss1.md#poc\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-09-15T15:48:47.816Z\"}}], \"cna\": {\"title\": \"WhatCD Gazelle Commit Message change_log.php cross site scripting\", \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"XU-17 (VulDB User)\"}], \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 5.1, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P\"}}, {\"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 3.5, \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R\"}}, {\"cvssV3_0\": {\"version\": \"3.0\", \"baseScore\": 3.5, \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R\"}}, {\"cvssV2_0\": {\"version\": \"2.0\", \"baseScore\": 4, \"vectorString\": \"AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR\"}}], \"affected\": [{\"vendor\": \"WhatCD\", \"modules\": [\"Commit Message Handler\"], \"product\": \"Gazelle\", \"versions\": [{\"status\": \"affected\", \"version\": \"63b337026d49b5cf63ce4be20fdabdc880112fa3\"}]}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2025-09-12T00:00:00.000Z\", \"value\": \"Advisory disclosed\"}, {\"lang\": \"en\", \"time\": \"2025-09-12T02:00:00.000Z\", \"value\": \"VulDB entry created\"}, {\"lang\": \"en\", \"time\": \"2025-09-12T11:05:39.000Z\", \"value\": \"VulDB entry last update\"}], \"references\": [{\"url\": \"https://vuldb.com/?id.323759\", \"name\": \"VDB-323759 | WhatCD Gazelle Commit Message change_log.php cross site scripting\", \"tags\": [\"vdb-entry\", \"technical-description\"]}, {\"url\": \"https://vuldb.com/?ctiid.323759\", \"name\": \"VDB-323759 | CTI Indicators (IOB, IOC, TTP, IOA)\", \"tags\": [\"signature\", \"permissions-required\"]}, {\"url\": \"https://vuldb.com/?submit.643534\", \"name\": \"Submit #643534 | WhatCD Gazelle latest latest /commit 63b3370\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://github.com/YZS17/CVE/blob/main/Gazelle/xss1.md\", \"tags\": [\"related\"]}, {\"url\": \"https://github.com/YZS17/CVE/blob/main/Gazelle/xss1.md#poc\", \"tags\": [\"exploit\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A vulnerability was determined in WhatCD Gazelle up to 63b337026d49b5cf63ce4be20fdabdc880112fa3. The affected element is an unknown function of the file /sections/tools/managers/change_log.php of the component Commit Message Handler. Executing manipulation of the argument Message can lead to cross site scripting. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed.\"}, {\"lang\": \"de\", \"value\": \"In WhatCD Gazelle bis 63b337026d49b5cf63ce4be20fdabdc880112fa3 ist eine Schwachstelle entdeckt worden. Es geht hierbei um eine nicht n\\u00e4her spezifizierte Funktion der Datei /sections/tools/managers/change_log.php der Komponente Commit Message Handler. Durch das Beeinflussen des Arguments Message mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Der Angriff kann \\u00fcber das Netzwerk erfolgen. Die Ausnutzung wurde ver\\u00f6ffentlicht und kann verwendet werden. F\\u00fcr dieses Produkt wird ein Rolling-Release-Ansatz verwendet, wodurch eine st\\u00e4ndige Bereitstellung erfolgt. Daher sind keine Versionsdetails zu betroffenen oder aktualisierten Versionen vorhanden.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"Cross Site Scripting\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-94\", \"description\": \"Code Injection\"}]}], \"providerMetadata\": {\"orgId\": \"1af790b2-7ee1-4545-860a-a788eba489b5\", \"shortName\": \"VulDB\", \"dateUpdated\": \"2025-09-13T02:32:05.307Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-10340\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-09-15T15:49:02.243Z\", \"dateReserved\": \"2025-09-12T09:00:36.415Z\", \"assignerOrgId\": \"1af790b2-7ee1-4545-860a-a788eba489b5\", \"datePublished\": \"2025-09-13T02:32:05.307Z\", \"assignerShortName\": \"VulDB\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.