CVE-2018-11651
Description
Graylog before v2.4.4 has an XSS security issue with unescaped text in dashboard names, related to components/dashboard/Dashboard.jsx, components/dashboard/EditDashboardModal.jsx, and pages/ShowDashboardPage.jsx.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Graylog before v2.4.4 contains a stored XSS vulnerability via unescaped dashboard names that allows attacker-injected scripts to execute when the dashboard is viewed.
Vulnerability
Graylog versions before v2.4.4 are affected by a stored cross-site scripting (XSS) vulnerability in dashboard name fields. The issue originates from unescaped text in dashboard names handled by components Dashboard.jsx, EditDashboardModal.jsx, and ShowDashboardPage.jsx [1][2]. An attacker with the ability to create or edit dashboards can inject arbitrary HTML or JavaScript into the dashboard title; this payload is then rendered without proper sanitization when any user views the dashboard listing or the dashboard page itself.
Exploitation
The attacker must have a valid Graylog account with sufficient privileges to create or edit dashboards (typically an "Admin" or "Manager" role). The attacker crafts a malicious dashboard name containing a JavaScript payload (e.g., ``). Once the dashboard is saved, any user who navigates to the affected dashboard or the dashboard list triggers execution of the injected script in their browser, with no additional user interaction required beyond viewing the page [1].
Impact
Successful exploitation leads to client-side execution of arbitrary JavaScript in the context of the victim's Graylog session. An attacker can steal session cookies, perform actions on behalf of the victim within the application (such as modifying dashboards or extracting search results), and potentially pivot to internal network resources if the victim's browser can access internal services [1]. The impact is limited by the same-origin policy within the Graylog application but can compromise the confidentiality and integrity of log data accessible to the victim.
Mitigation
The vulnerability is fixed in Graylog v2.4.4, released on or around June 1, 2018 [1][4]. The fix processes dashboard titles and descriptions through React and Reflux instead of using jQuery's .html(), which avoids direct injection of unescaped content [3]. Users are strongly advised to upgrade to v2.4.4 or later. No workarounds are documented; blocking dashboard creation is not practical. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.graylog2:graylog2-serverMaven | < 2.4.4 | 2.4.4 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-435g-r2m8-gjvmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-11651ghsaADVISORY
- github.com/Graylog2/graylog2-server/pull/4739ghsax_refsource_MISCWEB
- www.graylog.org/post/announcing-graylog-v2-4-4ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.