Vulnerability Description
ELOG allows an authenticated user to upload arbitrary HTML files. The HTML content is executed in the context of other users when they open the file. Because ELOG includes usernames and password hashes in certain HTTP requests, an attacker can obtain the target's credentials and replay them or crack the password hash offline. In ELOG 3.1.5-20251014 release, HTML files are rendered as plain text.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Elog Project | Elog | < 3.1.5-20251014 |
Related Weaknesses (CWE)
References
- https://bitbucket.org/ritt/elog/commits/7092ff64f6eb9521f8cc8c52272a020bf3730946Patch
- https://bitbucket.org/ritt/elog/commits/f81e5695c40997322fe2713bfdeba459d9de09dcPatch
- https://elog.psi.ch/elog/download/RPMS/?C=M;O=DProduct
- https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/Third Party Advisory
- https://www.cve.org/CVERecord?id=CVE-2025-62618Third Party Advisory
FAQ
What is CVE-2025-62618?
CVE-2025-62618 is a vulnerability with a CVSS score of 8.0 (HIGH). ELOG allows an authenticated user to upload arbitrary HTML files. The HTML content is executed in the context of other users when they open the file. Because ELOG includes usernames and password hashe...
How severe is CVE-2025-62618?
CVE-2025-62618 has been rated HIGH with a CVSS base score of 8.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-62618?
Check the references section above for vendor advisories and patch information. Affected products include: Elog Project Elog.