CVE-2025-10340 is a cross-site scripting (XSS) vulnerability identified in the WhatCD Gazelle software, specifically affecting the Commit Message Handler component within the file /sections/tools/managers/change_log.php. The vulnerability arises from improper sanitization or validation of the 'Message' argument, which can be manipulated by an attacker to inject malicious scripts. This flaw allows an attacker to execute arbitrary JavaScript code in the context of the victim's browser when they access the affected page. The vulnerability can be exploited remotely without requiring authentication, although user interaction is necessary to trigger the malicious payload (e.g., a victim visiting a crafted URL or page). The product uses a rolling release system, which complicates pinpointing exact affected versions beyond the provided commit hash. The CVSS 4.0 base score is 5.1, indicating a medium severity level, with the vector highlighting network attack vector, low attack complexity, no privileges required, but user interaction needed. The vulnerability does not impact confidentiality or availability significantly but has a limited impact on integrity due to script execution capabilities. No public exploits are currently known in the wild, but the vulnerability has been publicly disclosed, increasing the risk of exploitation attempts.

For European organizations using WhatCD Gazelle, this XSS vulnerability could lead to session hijacking, credential theft, or unauthorized actions performed on behalf of legitimate users if exploited successfully. Given that Gazelle is a platform often used for private torrent trackers and community management, the impact may include compromise of user accounts and leakage of sensitive user information. Although the direct impact on critical infrastructure is limited, organizations relying on Gazelle for community or content management could face reputational damage and user trust erosion. The remote exploitability without authentication increases the risk, especially in environments where users may be less security-aware or where phishing attacks could be combined with this vulnerability. The medium severity suggests that while the threat is not critical, it should be addressed promptly to prevent potential exploitation, especially in regulated environments with strict data protection requirements such as GDPR in Europe.

To mitigate this vulnerability, European organizations should immediately apply any available patches or updates from the WhatCD Gazelle project once released. In the absence of official patches, organizations should implement input validation and output encoding on the 'Message' parameter within the change_log.php file to neutralize malicious scripts. Employing Content Security Policy (CSP) headers can help reduce the impact of XSS by restricting script execution sources. Additionally, organizations should conduct security awareness training to educate users about the risks of clicking unknown links and encourage the use of modern browsers with built-in XSS protections. Monitoring web server logs for suspicious requests targeting the vulnerable endpoint can aid in early detection of exploitation attempts. Finally, consider isolating the Gazelle application behind web application firewalls (WAFs) configured to detect and block XSS payloads targeting this specific parameter.