Scan free
LOWCVE-2025-2340CVSS 2.4

CVE-2025-2340: XSS in Tale Blog 2.0.5

Platform

php

Component

cve_article

Fixed in

2.0.6

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026
View on NVD
Save

CVE-2025-2340 is a cross-site scripting (XSS) vulnerability affecting Tale Blog versions 2.0.5–2.0.5. This vulnerability allows attackers to inject malicious scripts into the application, potentially leading to session hijacking or data theft. The vulnerability resides in the saveOptions function within the /options/save file of the Site Settings component. A fix is available in version 2.0.6.

Impact and Attack Scenarios

An attacker can exploit this XSS vulnerability by manipulating the 'Site Title' parameter within the /options/save endpoint. Successful exploitation allows the attacker to inject arbitrary JavaScript code into the Tale Blog application. This code will then execute in the context of any user visiting the affected page, potentially enabling the attacker to steal session cookies, redirect users to malicious websites, or deface the website. Given the publicly disclosed nature of this vulnerability, it presents a significant risk, especially since the product is no longer supported by the maintainer, leaving it vulnerable to ongoing attacks.

Exploitation Context

This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. The lack of response from the vendor and the product's unsupported status further exacerbate the risk. While no active exploitation campaigns have been publicly reported, the availability of a proof-of-concept significantly lowers the barrier to entry for attackers. The vulnerability was disclosed on 2025-03-16.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.09% (25% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N2.4LOWAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredHighAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityNoneRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
High — admin or privileged account required to exploit.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
None — no confidentiality impact. Attacker cannot read protected data.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentcve_article
Vendorotale
Affected rangeFixed in
2.0.5 – 2.0.52.0.6

Weakness Classification (CWE)

CWE-79CWE-94

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2025-2340 is to upgrade Tale Blog to version 2.0.6, which contains the fix. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter requests containing suspicious characters in the 'Site Title' parameter. Input validation on the server-side, specifically sanitizing user-supplied data before rendering it in the HTML, can also help prevent XSS attacks. Since the product is no longer supported, thorough security audits and ongoing monitoring are crucial.

How to fix

Given that the product is no longer supported, the only solution is to migrate to a supported platform or version that has corrected the XSS vulnerability. If this is not possible, it is recommended to disable the affected component or implement additional security measures, such as input filtering and output encoding, to mitigate the risk.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-2340 — XSS in Tale Blog?

CVE-2025-2340 is a cross-site scripting (XSS) vulnerability in Tale Blog versions 2.0.5–2.0.5, allowing attackers to inject malicious scripts.

Am I affected by CVE-2025-2340 in Tale Blog?

You are affected if you are running Tale Blog version 2.0.5 and have not upgraded to version 2.0.6.

How do I fix CVE-2025-2340 in Tale Blog?

Upgrade Tale Blog to version 2.0.6. If upgrading is not possible, implement a WAF rule to filter suspicious input.

Is CVE-2025-2340 being actively exploited?

While no active campaigns are confirmed, the vulnerability is publicly disclosed, increasing the risk of exploitation.

Where can I find the official Tale Blog advisory for CVE-2025-2340?

Due to the product being unsupported, there is no official advisory. Refer to external security resources for information.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs