CVE-2025-1585 – otale header.html OptionsService cross site scripting

https://notcve.org/view.php?id=CVE-2025-1585

23 Feb 2025 — A vulnerability, which was classified as problematic, has been found in otale tale up to 2.0.5. This issue affects the function OptionsService of the file src/main/resources/templates/themes/default/partial/header.html. The manipulation of the argument logo_url leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. • https://github.com/dragonkeep/cve/blob/main/Tale_Blog_xss.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •