← Retour aux CVEs
CVE-2025-62618
HIGH8.0
Description
ELOG allows an authenticated user to upload arbitrary HTML files. The HTML content is executed in the context of other users when they open the file. Because ELOG includes usernames and password hashes in certain HTTP requests, an attacker can obtain the target's credentials and replay them or crack the password hash offline. In ELOG 3.1.5-20251014 release, HTML files are rendered as plain text.
Details CVE
Score CVSS v3.18.0
SeveriteHIGH
Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Vecteur d'attaqueNETWORK
ComplexiteLOW
Privileges requisLOW
Interaction utilisateurREQUIRED
Publie10/31/2025
Derniere modification11/10/2025
Sourcenvd
Observations honeypot0
Produits affectes
elog_project:elog
Faiblesses (CWE)
CWE-79CWE-434CWE-836
References
https://bitbucket.org/ritt/elog/commits/7092ff64f6eb9521f8cc8c52272a020bf3730946(9119a7d8-5eab-497f-8521-727c672e3725)
https://bitbucket.org/ritt/elog/commits/f81e5695c40997322fe2713bfdeba459d9de09dc(9119a7d8-5eab-497f-8521-727c672e3725)
https://elog.psi.ch/elog/download/RPMS/?C=M;O=D(9119a7d8-5eab-497f-8521-727c672e3725)
https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-304-01.json(9119a7d8-5eab-497f-8521-727c672e3725)
https://www.cve.org/CVERecord?id=CVE-2025-62618(9119a7d8-5eab-497f-8521-727c672e3725)
Correlations IOC
Aucune correlation enregistree
This product uses data from the NVD API but is not endorsed or certified by the NVD.