CVE-2025-60447

Severity CVSS v4.0:

Pending analysis

Type:

CWE-79 Cross-Site Scripting (XSS)

Publication date:

03/10/2025

Last modified:

08/10/2025

Description

A stored Cross-Site Scripting (XSS) vulnerability has been discovered in Emlog Pro 2.5.19. The vulnerability exists in the email template configuration component located at /admin/setting.php?action=mail, which allows administrators to input HTML code that is not properly sanitized, leading to persistent JavaScript execution.

Impact

Vector 3.x

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L CVSS v3.1 Severity and Metrics:

Base Score: 5.90 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): High
User Interaction (UI): Required
Scope (S): Changed
Confidentiality (C): Low
Integrity (I): Low
Availability (A): Low

Base Score 3.x

5.90

Severity 3.x

MEDIUM

Vulnerable products and versions

CPE	From	Up to
cpe:2.3:a:emlog:emlog:2.5.19::::pro:::

To consult the complete list of CPE names with products and versions, see this page

References to Advisories, Solutions, and Tools

https://snowhy77.github.io/2025/08/21/Stored-XSS-Vulnerability-in-Emlog-Pro-HTML-Injection/