CVE-2025-10340

Vulnerability

Overview

CVE-2025-10340 describes a stored cross-site scripting (XSS) vulnerability in WhatCD Gazelle, a private torrent tracker software. The flaw resides in the file /sections/tools/managers/change_log.php, specifically in the component Commit Message Handler. The root cause is that the $Change['Message'] value is retrieved directly from the database and output without any HTML escaping, as shown in the vulnerable code: <?=$Change['Message']?> [1][2].

Exploitation

An attacker with the ability to submit a changelog message (likely a privileged user or through a compromised account) can inject arbitrary HTML or JavaScript payloads, such as ``, into the message field. The payload is stored in the database and executed when any administrator or user views the changelog page. The attack can be performed remotely without requiring authentication beyond the ability to post changelog entries [1][2].

Impact

Successful exploitation allows an attacker to stored XSS allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, defacement, or theft of sensitive information. The vulnerability is rated Low severity (CVSS 3.5) due to the need for some level of access and the limited scope of impact [1][2].

Mitigation

The vendor uses a rolling release model rolling release system and has not disclosed specific version information for affected or updated releases. The commit 63b337026d49b5cf63ce4be20fdabdc880112fa3 is known to be vulnerable. Users should apply any available updates or manually escape the $Change['Message'] output using functions like htmlspecialchars() in PHP to prevent XSS [1][2].