CVE-2025-50977

A template injection vulnerability leading to reflected cross-site scripting (XSS) has been identified in version 1.7.1, requiring authenticated admin access for exploitation. The vulnerability exists in the 'r' parameter and allows attackers to inject malicious Angular expressions that execute JavaScript code in the context of the application. The flaw can be exploited through GET requests to the summary endpoint as well as POST requests to specific Wicket interface endpoints, though the GET method provides easier weaponization. This vulnerability enables authenticated administrators to execute arbitrary client-side code, potentially leading to session hijacking, data theft, or further privilege escalation attacks.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/4rdr/proofs/blob/main/info/gitblit-v1.7.1-reflected-XSS-via-angularjs-expression.md	Exploit Third Party Advisory
https://github.com/4rdr/proofs/blob/main/info/gitblit-v1.7.1-reflected-XSS-via-angularjs-expression.md	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:gitblit:gitblit:1.7.1:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-08-27 17:15

Updated : 2025-09-09 18:45

NVD link : CVE-2025-50977

Mitre link : CVE-2025-50977

CVE.ORG link : CVE-2025-50977

JSON object : View

Products Affected

gitblit

gitblit

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2025-50977", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2025-08-27T17:15:41.967", "references": [{"url": "https://github.com/4rdr/proofs/blob/main/info/gitblit-v1.7.1-reflected-XSS-via-angularjs-expression.md", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/4rdr/proofs/blob/main/info/gitblit-v1.7.1-reflected-XSS-via-angularjs-expression.md", "tags": ["Exploit", "Third Party Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "A template injection vulnerability leading to reflected cross-site scripting (XSS) has been identified in version 1.7.1, requiring authenticated admin access for exploitation. The vulnerability exists in the 'r' parameter and allows attackers to inject malicious Angular expressions that execute JavaScript code in the context of the application. The flaw can be exploited through GET requests to the summary endpoint as well as POST requests to specific Wicket interface endpoints, though the GET method provides easier weaponization. This vulnerability enables authenticated administrators to execute arbitrary client-side code, potentially leading to session hijacking, data theft, or further privilege escalation attacks."}, {"lang": "es", "value": "Se ha identificado una vulnerabilidad de inyecci\u00f3n de plantillas que provoca Cross Site Scripting (XSS) reflejado en la versi\u00f3n 1.7.1, que requiere acceso de administrador autenticado para su explotaci\u00f3n. La vulnerabilidad se encuentra en el par\u00e1metro 'r' y permite a los atacantes inyectar expresiones maliciosas de Angular que ejecutan c\u00f3digo JavaScript en el contexto de la aplicaci\u00f3n. La falla puede explotarse mediante solicitudes GET al endpoint de resumen, as\u00ed como mediante solicitudes POST a endpoints espec\u00edficos de la interfaz Wicket, aunque el m\u00e9todo GET facilita su uso como arma. Esta vulnerabilidad permite a los administradores autenticados ejecutar c\u00f3digo arbitrario del lado del cliente, lo que podr\u00eda provocar secuestro de sesiones, robo de datos o nuevos ataques de escalada de privilegios."}], "lastModified": "2025-09-09T18:45:26.647", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gitblit:gitblit:1.7.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FC023CA4-A5B6-4E12-8FD2-2F3C785E13EC"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}