VYPR
← All advisories
Medium severity6.4NVD Advisory· Published Jun 4, 2026· Updated Jun 4, 2026

CVE-2019-25739

CVE-2019-25739

Description

GigToDo 1.3 has a persistent XSS vulnerability in the proposal description field, allowing authenticated attackers to steal cookies or redirect users.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

GigToDo 1.3 has a persistent XSS vulnerability in the proposal description field, allowing authenticated attackers to steal cookies or redirect users.

Vulnerability

GigToDo 1.3 contains a persistent cross-site scripting (XSS) vulnerability within the proposal description field. This vulnerability allows authenticated attackers to inject malicious JavaScript and HTML code through the create_proposal endpoint. The vulnerability affects GigToDo version 1.3 [1].

Exploitation

An attacker must first be authenticated to the GigToDo application. They can then craft XSS payloads within the proposal description field when creating a proposal. These payloads will execute when an administrator or another user views the stored proposal [1].

Impact

Successful exploitation of this vulnerability allows attackers to execute arbitrary JavaScript and HTML code in the context of the victim's browser. This can lead to the theft of sensitive information, such as cookies, and can also facilitate malicious redirects to attacker-controlled websites [1].

Mitigation

GigToDo version 1.3 is affected by this vulnerability. Information regarding a fixed version or a release date for a patch is not yet available in the provided references. No workarounds have been disclosed [1].

References
  1. GigToDo Freelance Marketplace Script 1.3 Persistent XSS

AI Insight generated on Jun 4, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

4

News mentions

0

No linked articles in our index yet.