FKIE_CVE-2025-50977

Vulnerability from fkie_nvd - Published: 2025-08-27 17:15 - Updated: 2025-09-09 18:45
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
A template injection vulnerability leading to reflected cross-site scripting (XSS) has been identified in version 1.7.1, requiring authenticated admin access for exploitation. The vulnerability exists in the 'r' parameter and allows attackers to inject malicious Angular expressions that execute JavaScript code in the context of the application. The flaw can be exploited through GET requests to the summary endpoint as well as POST requests to specific Wicket interface endpoints, though the GET method provides easier weaponization. This vulnerability enables authenticated administrators to execute arbitrary client-side code, potentially leading to session hijacking, data theft, or further privilege escalation attacks.
References
cve@mitre.orghttps://github.com/4rdr/proofs/blob/main/info/gitblit-v1.7.1-reflected-XSS-via-angularjs-expression.mdExploit, Third Party Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0https://github.com/4rdr/proofs/blob/main/info/gitblit-v1.7.1-reflected-XSS-via-angularjs-expression.mdExploit, Third Party Advisory
Impacted products
Vendor Product Version
gitblit gitblit 1.7.1
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:gitblit:gitblit:1.7.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "FC023CA4-A5B6-4E12-8FD2-2F3C785E13EC",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A template injection vulnerability leading to reflected cross-site scripting (XSS) has been identified in version 1.7.1, requiring authenticated admin access for exploitation. The vulnerability exists in the \u0027r\u0027 parameter and allows attackers to inject malicious Angular expressions that execute JavaScript code in the context of the application. The flaw can be exploited through GET requests to the summary endpoint as well as POST requests to specific Wicket interface endpoints, though the GET method provides easier weaponization. This vulnerability enables authenticated administrators to execute arbitrary client-side code, potentially leading to session hijacking, data theft, or further privilege escalation attacks."
    },
    {
      "lang": "es",
      "value": "Se ha identificado una vulnerabilidad de inyecci\u00f3n de plantillas que provoca Cross Site Scripting (XSS) reflejado en la versi\u00f3n 1.7.1, que requiere acceso de administrador autenticado para su explotaci\u00f3n. La vulnerabilidad se encuentra en el par\u00e1metro \u0027r\u0027 y permite a los atacantes inyectar expresiones maliciosas de Angular que ejecutan c\u00f3digo JavaScript en el contexto de la aplicaci\u00f3n. La falla puede explotarse mediante solicitudes GET al endpoint de resumen, as\u00ed como mediante solicitudes POST a endpoints espec\u00edficos de la interfaz Wicket, aunque el m\u00e9todo GET facilita su uso como arma. Esta vulnerabilidad permite a los administradores autenticados ejecutar c\u00f3digo arbitrario del lado del cliente, lo que podr\u00eda provocar secuestro de sesiones, robo de datos o nuevos ataques de escalada de privilegios."
    }
  ],
  "id": "CVE-2025-50977",
  "lastModified": "2025-09-09T18:45:26.647",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-08-27T17:15:41.967",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/4rdr/proofs/blob/main/info/gitblit-v1.7.1-reflected-XSS-via-angularjs-expression.md"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/4rdr/proofs/blob/main/info/gitblit-v1.7.1-reflected-XSS-via-angularjs-expression.md"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.