CVE-2025-62618 HIGH

CVE-2025-62618: ELOG file upload stored XSS

Vendor Elog
Product ELOG
Weakness CWE-434 · Unrestricted file upload
Published October 31, 2025
Last update November 4, 2025

CVSS base score

8.6/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

ELOG allows an authenticated user to upload arbitrary HTML files. The HTML content is executed in the context of other users when they open the file. Because ELOG includes usernames and password hashes in certain HTTP requests, an attacker can obtain the target's credentials and replay them or crack the password hash offline. In ELOG 3.1.5-20251014 release, HTML files are rendered as plain text.

Key dates

02Disclosure timeline

October 31, 2025 CVE published
November 4, 2025 Record updated