LOWCVE-2025-2340CVSS 2.4

CVE-2025-2340: XSS in Tale Blog 2.0.5

Platform

php

Component

cve_article

Fixed in

2.0.6

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026

View on NVD

Save

CVE-2025-2340 is a cross-site scripting (XSS) vulnerability affecting Tale Blog versions 2.0.5–2.0.5. This vulnerability allows attackers to inject malicious scripts into the application, potentially leading to session hijacking or data theft. The vulnerability resides in the saveOptions function within the /options/save file of the Site Settings component. A fix is available in version 2.0.6.

Impact and Attack Scenarios

An attacker can exploit this XSS vulnerability by manipulating the 'Site Title' parameter within the /options/save endpoint. Successful exploitation allows the attacker to inject arbitrary JavaScript code into the Tale Blog application. This code will then execute in the context of any user visiting the affected page, potentially enabling the attacker to steal session cookies, redirect users to malicious websites, or deface the website. Given the publicly disclosed nature of this vulnerability, it presents a significant risk, especially since the product is no longer supported by the maintainer, leaving it vulnerable to ongoing attacks.

Exploitation Context

This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. The lack of response from the vendor and the product's unsupported status further exacerbate the risk. While no active exploitation campaigns have been publicly reported, the availability of a proof-of-concept significantly lowers the barrier to entry for attackers. The vulnerability was disclosed on 2025-03-16.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

EPSS

0.09% (25% percentile)

CISA SSVC

Exploitationnone

Automatableno

Technical Impactpartial

CVSS Vector

Affected Software

Componentcve_article

Vendorotale

Affected rangeFixed in

2.0.5 – 2.0.52.0.6

Weakness Classification (CWE)

CWE-79 CWE-94

Timeline

Reserved2025-03-15
Published2025-03-16
Modified2025-03-17
EPSS updated2026-04-02

Mitigation and Workarounds

The primary mitigation for CVE-2025-2340 is to upgrade Tale Blog to version 2.0.6, which contains the fix. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter requests containing suspicious characters in the 'Site Title' parameter. Input validation on the server-side, specifically sanitizing user-supplied data before rendering it in the HTML, can also help prevent XSS attacks. Since the product is no longer supported, thorough security audits and ongoing monitoring are crucial.

How to fix

Given that the product is no longer supported, the only solution is to migrate to a supported platform or version that has corrected the XSS vulnerability. If this is not possible, it is recommended to disable the affected component or implement additional security measures, such as input filtering and output encoding, to mitigate the risk.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-2340 — XSS in Tale Blog?

CVE-2025-2340 is a cross-site scripting (XSS) vulnerability in Tale Blog versions 2.0.5–2.0.5, allowing attackers to inject malicious scripts.

Am I affected by CVE-2025-2340 in Tale Blog?

You are affected if you are running Tale Blog version 2.0.5 and have not upgraded to version 2.0.6.

How do I fix CVE-2025-2340 in Tale Blog?

Upgrade Tale Blog to version 2.0.6. If upgrading is not possible, implement a WAF rule to filter suspicious input.

Is CVE-2025-2340 being actively exploited?

While no active campaigns are confirmed, the vulnerability is publicly disclosed, increasing the risk of exploitation.

Where can I find the official Tale Blog advisory for CVE-2025-2340?

Due to the product being unsupported, there is no official advisory. Refer to external security resources for information.