Primary

Context

WhatCD Gazelle Cross-Site Scripting Vulnerability in Change Log Manager

Vulnerability

A stored cross-site scripting vulnerability has been identified in WhatCD Gazelle versions prior to commit 63b337026d49b5cf63ce4be20fdabdc880112fa3. The issue arises in the Change Log Manager component, specifically within the file 'sections/tools/managers/change_log.php'. The vulnerability allows attackers to inject arbitrary HTML or JavaScript into the 'Message' field, which is then executed when an administrator or user views the changelog.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the changelog.

Reproduction

To reproduce this vulnerability, log into a vulnerable instance of WhatCD Gazelle and navigate to the change log manager. Inject a script payload into the message field. Once the message is saved, the injected script will execute when the changelog is viewed.

Added: Sep 13, 2025, 3:17 AM

Updated: Sep 13, 2025, 3:17 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

6.3

remediation

0.0

relevance

0.5

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

6.3

remediation

0.0

relevance

0.5

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

WhatCD Gazelle Cross-Site Scripting Vulnerability in Change Log Manager

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating