CVE-2018-14380
Description
In Graylog before 2.4.6, XSS was possible in typeahead components, related to components/common/TypeAheadInput.jsx and components/search/QueryInput.ts.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Graylog before 2.4.6, typeahead components were vulnerable to cross-site scripting (XSS) due to improper escaping of template content.
Vulnerability
Cross-site scripting (XSS) vulnerability exists in Graylog's typeahead components, specifically in components/common/TypeAheadInput.jsx and components/search/QueryInput.ts, prior to version 2.4.6. The failure to properly escape template content allows injection of arbitrary HTML and JavaScript [1][2].
Exploitation
An attacker can inject malicious script into a typeahead input field, which is then reflected to users viewing the suggestions. No authentication is required if the affected component is exposed, but user interaction (e.g., clicking a suggestion) may be needed to trigger execution [1][2].
Impact
Successful exploitation enables an attacker to execute arbitrary JavaScript in the context of the victim's browser session, potentially leading to session hijacking, data theft, or phishing attacks [1][2].
Mitigation
The vulnerability is fixed in Graylog 2.4.6, released on July 18, 2018 [4]. Users should upgrade immediately. No workarounds are documented [2][4].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.graylog2:graylog2-serverMaven | < 2.4.6 | 2.4.6 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-38hf-xjmx-jrh8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-14380ghsaADVISORY
- github.com/Graylog2/graylog2-server/pull/4904ghsax_refsource_CONFIRMWEB
- www.graylog.org/post/announcing-the-release-of-graylog-2-4-6ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.