CVE 8.6 HIGH

ELOG file upload stored XSS_CVE-2025-62618

October 31, 2025 invoker category_cve

8.6 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

ELOG allows an authenticated user to upload arbitrary HTML files. The HTML content is executed in the context of other users when they open the file. Because ELOG includes usernames and password hashes in certain HTTP requests, an attacker can obtain the target's credentials and replay them or crack the password hash offline. In ELOG 3.1.5-20251014 release, HTML files are rendered as plain text.

AI Analysis

Stored XSS vulnerability in ELOG file upload, allowing authenticated users to upload arbitrary HTML files and execute them in the context of other users.

Basic Information

ID CVE-2025-62618

Source cisa-cg

Published Oct 31, 2025 at 18:31

Affected Product

Vendor ELOG

Product ELOG

Version 3.1.5-20251014

Affected Versions ELOG ELOG 0

CWE Classification

CWE-434 CWE-79 CWE-836

AI Assessment

AI Score 8.6 / 10

AI Severity High

Vendor ELOG

Product ELOG

Version 3.1.5-20251014

References

{
    "lastseen": "",
    "description": "ELOG allows an authenticated user to upload arbitrary HTML files. The HTML content is executed in the context of other users when they open the file. Because ELOG includes usernames and password hashes in certain HTTP requests, an attacker can obtain the target's credentials and replay them or crack the password hash offline. In ELOG 3.1.5-20251014 release, HTML files are rendered as plain text.",
    "published": "2025-10-31T18:31:06.652Z",
    "modified": "2025-10-31T18:31:06.652Z",
    "type": "cve",
    "title": "ELOG file upload stored XSS",
    "source": "cisa-cg",
    "references": "https://bitbucket.org/ritt/elog/commits/f81e5695c40997322fe2713bfdeba459d9de09dc\nhttps://elog.psi.ch/elog/download/RPMS/?C=M;O=D\nhttps://bitbucket.org/ritt/elog/commits/7092ff64f6eb9521f8cc8c52272a020bf3730946\nhttps://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-304-01.json\nhttps://www.cve.org/CVERecord?id=CVE-2025-62618",
    "id": "CVE-2025-62618",
    "bulletinFamily": "",
    "cwe": [
        "CWE-434",
        "CWE-79",
        "CWE-836"
    ],
    "cvelist": null,
    "sourceData": "ELOG ELOG 0",
    "sourceHref": "",
    "cvss": {
        "score": 8.6,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "ELOG",
    "version": "3.1.5-20251014",
    "vendor": "ELOG",
    "ai_description": "Stored XSS vulnerability in ELOG file upload, allowing authenticated users to upload arbitrary HTML files and execute them in the context of other users.",
    "ai_severity": "High",
    "ai_vendor": "ELOG",
    "ai_product": "ELOG",
    "ai_version": "3.1.5-20251014",
    "ai_score": 8.6
}

💭 Join the Security Discussion ❌ Cancel Reply