PT-2025-44664 · Elog · Elog
Published
2025-10-31
·
Updated
2025-11-10
·
CVE-2025-62618
CVSS v4.0
8.6
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
ELOG versions prior to 3.1.5-20251014
Description
ELOG allows an authenticated user to upload arbitrary HTML files. The HTML content is executed in the context of other users when they open the file. The application includes usernames and password hashes in certain HTTP requests, potentially allowing an attacker to obtain credentials and replay them or crack the password hash offline.
Recommendations
Update to ELOG version 3.1.5-20251014 or later.
Fix
XSS
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Elog