CVE-2025-50977

Source
https://cve.org/CVERecord?id=CVE-2025-50977
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-50977.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-50977
Published
2025-08-27T00:00:00Z
Modified
2026-07-08T08:12:06.002633077Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

A template injection vulnerability leading to reflected cross-site scripting (XSS) has been identified in version 1.7.1, requiring authenticated admin access for exploitation. The vulnerability exists in the 'r' parameter and allows attackers to inject malicious Angular expressions that execute JavaScript code in the context of the application. The flaw can be exploited through GET requests to the summary endpoint as well as POST requests to specific Wicket interface endpoints, though the GET method provides easier weaponization. This vulnerability enables authenticated administrators to execute arbitrary client-side code, potentially leading to session hijacking, data theft, or further privilege escalation attacks.

Database specific
{
    "cna_assigner": "mitre",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/50xxx/CVE-2025-50977.json"
}
References

Affected packages

Git / github.com/gitblit-org/gitblit

Affected ranges

Type
GIT
Repo
https://github.com/gitblit-org/gitblit
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "1.7.1"
        },
        {
            "last_affected": "1.7.1"
        }
    ],
    "cpe": "cpe:2.3:a:gitblit:gitblit:1.7.1:*:*:*:*:*:*:*",
    "source": "CPE_STRING"
}

Affected versions

1.*
1.7.1
v1.*
v1.7.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-50977.json"