Dennisoelkers

**Name of the Vulnerable Software and Affected Versions** Graylog versions 6.1.0 through 6.1.1 **Description** Graylog is a log management platform. The reporting functionality allows the creation and scheduling of reports containing dashboard widgets displaying log messages or aggregated metrics. A flaw exists where multiple concurrent report rendering requests from authorized users can lead to information leakage. When multiple reports are requested simultaneously, the headless browser instance used for PDF rendering is reused. Depending on timing, this can result in an error or allow one user to access another user's report, potentially exposing indexed log messages or aggregated data they should not have access to. **Recommendations** Graylog version 6.1.2 resolves this issue. Upgrade to version 6.1.2 or later. As a temporary measure, disable the reporting functionality.

**Name of the Vulnerable Software and Affected Versions** Graylog versions prior to 2.4.4 **Description** The issue is related to an XSS security problem with unescaped text in notifications. This is connected to toastr and the util/UserNotification.js file. **Recommendations** For versions prior to 2.4.4, update to version 2.4.4 or later to resolve the issue. As a temporary workaround, consider disabling notifications until a patch is available. Restrict access to the util/UserNotification.js file to minimize the risk of exploitation.