Last active
November 4, 2025 11:17
-
-
Save alex-xor/8d0f9f456e6840a955889305ea789ef8 to your computer and use it in GitHub Desktop.
CVE-2025-52179 / CVE-2025-52180 — Unauthenticated reflected XSS in Zucchetti Ad Hoc Revolution and Ad Hoc Infinity
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| CVE IDs: CVE-2025-52179, CVE-2025-52180 | |
| Affected products and versions: | |
| - Zucchetti Ad Hoc Revolution 4.1 and earlier | |
| - Zucchetti Ad Hoc Infinity 4.2 and earlier | |
| Per-CVE mapping (product → endpoint): | |
| - CVE-2025-52179 (Zucchetti Ad Hoc Revolution 4.1 and earlier): | |
| Affected component / endpoint: | |
| - /ahrw/jsp/gsfr_feditorHTML.jsp?pHtmlSource | |
| - CVE-2025-52180 (Zucchetti Ad Hoc Infinity 4.2 and earlier): | |
| Affected component / endpoint: | |
| - /ahi/jsp/gsfr_feditorHTML.jsp?pHtmlSource | |
| Vulnerable parameter: | |
| - pHtmlSource | |
| Vulnerability type: | |
| - Reflected Cross-Site Scripting (CWE-79) — unauthenticated, remote, client-side script execution triggered by unsanitized reflection of the pHtmlSource parameter. | |
| Status: | |
| - Vendor fixes were released on 2025-06-18. | |
| - Coordinated disclosure window completed (90 days + 30-day extension; final date: 2025-10-16). | |
| - Technical evidence (screenshots/PoC) has been provided privately to MITRE and the vendors. | |
| Note: This gist contains only the minimum required information for CVE publication. No exploit code or sensitive host details are published here. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment