Unrated severityNVD Advisory· Published Oct 31, 2025· Updated Nov 4, 2025

ELOG file upload stored XSS

CVE-2025-62618

Description

ELOG allows an authenticated user to upload arbitrary HTML files. The HTML content is executed in the context of other users when they open the file. Because ELOG includes usernames and password hashes in certain HTTP requests, an attacker can obtain the target's credentials and replay them or crack the password hash offline. In ELOG 3.1.5-20251014 release, HTML files are rendered as plain text.

Affected products

Elog/Elogv5
Range: 0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

bitbucket.org/ritt/elog/commits/7092ff64f6eb9521f8cc8c52272a020bf3730946mitre
bitbucket.org/ritt/elog/commits/f81e5695c40997322fe2713bfdeba459d9de09dcmitre
elog.psi.ch/elog/download/RPMS/mitre
raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-304-01.jsonmitre
www.cve.org/CVERecordmitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000