CVE-2018-11650
Description
Graylog before v2.4.4 has an XSS security issue with unescaped text in notifications, related to toastr and util/UserNotification.js.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Graylog versions before 2.4.4 contain an XSS vulnerability in notifications due to unescaped text in toastr/UserNotification.js.
Vulnerability
Graylog versions before 2.4.4 are vulnerable to a cross-site scripting (XSS) issue in notifications. The vulnerability resides in the util/UserNotification.js module, which uses the toastr library to display notifications. User-supplied text is not properly escaped before being inserted into the DOM, allowing an attacker to inject arbitrary HTML and JavaScript [1][2].
Exploitation
To exploit this vulnerability, an attacker must be able to control the text content of a notification, for example by supplying malicious input that is later reflected in a toast notification. The victim must view the notification in their browser. No special network position or authentication is required beyond the ability to trigger a notification with crafted text [1][2].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the Graylog web interface, potentially leading to session hijacking, data theft, or other malicious actions on behalf of the victim [2].
Mitigation
Graylog has addressed this vulnerability in version 2.4.4, released on May 23, 2018 [4]. Users should upgrade to v2.4.4 or later. No workarounds are documented; upgrading is the recommended action [1][4].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.graylog2:graylog2-serverMaven | < 2.4.4 | 2.4.4 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-h7g4-65mf-6mxhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-11650ghsaADVISORY
- github.com/Graylog2/graylog2-server/pull/4727ghsax_refsource_MISCWEB
- www.graylog.org/post/announcing-graylog-v2-4-4ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.