Lookup for vulnerable packages by Package URL.
| Purl | pkg:maven/org.graylog2/graylog2-server@6.1.10 |
|---|
| Type | maven |
|---|
| Namespace | org.graylog2 |
|---|
| Name | graylog2-server |
|---|
| Version | 6.1.10 |
|---|
| Qualifiers |
|
|---|
| Subpath | |
|---|
| Is_vulnerable | true |
|---|
| Next_non_vulnerable_version | 6.2.4 |
|---|
| Latest_non_vulnerable_version | 6.2.4 |
|---|
| Affected_by_vulnerabilities |
| 0 |
| url |
VCID-1ce2-9qbs-f3gj |
| vulnerability_id |
VCID-1ce2-9qbs-f3gj |
| summary |
Graylog Allows Stored Cross-Site Scripting via Files Plugin and API Browser
### Impact
Two minor vulnerabilities were identified in the Graylog2 enterprise server, which can be combined to carry out a stored cross-site scripting attack.
An attacker with the permission `FILES_CREATE` can exploit these vulnerabilities to upload arbitrary Javascript code to the Graylog2 server, which - upon requesting of the file by a user of the API browser - results in the execution of this Javascript code in the context of the Graylog frontend application.
This enables the attacker to carry out authenticated API requests with the permissions of the logged-in user, thereby taking over the user session.
### Patches
The generic API has been removed in 6.2.0 rendering the attack vector unreachable and additional escaping has been added.
Analysis provided by Fabian Yamaguchi - Whirly Labs (Pty) Ltd |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-q9q2-3ppx-mwqf
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-1ce2-9qbs-f3gj |
|
|
|---|
| Fixing_vulnerabilities |
| 0 |
| url |
VCID-atsa-zxpc-mkhx |
| vulnerability_id |
VCID-atsa-zxpc-mkhx |
| summary |
Graylog is a free and open log management platform. Prior to versions 6.0.14, 6.1.10, and 6.2.0, it is possible to obtain user session cookies by submitting an HTML form as part of an Event Definition Remediation Step field. For this attack to succeed, the attacker needs a user account with permissions to create event definitions, while the user must have permissions to view alerts. Additionally, an active Input must be present on the Graylog server that is capable of receiving form data (e.g. a HTTP input, TCP raw or syslog etc). Versions 6.0.14, 6.1.10, and 6.2.0 fix the issue. No known workarounds are available, as long as the relatively rare prerequisites are met. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2025-46827, GHSA-76vf-mpmx-777j
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-atsa-zxpc-mkhx |
|
| 1 |
| url |
VCID-q7wf-bv57-hkg4 |
| vulnerability_id |
VCID-q7wf-bv57-hkg4 |
| summary |
Graylog is a free and open log management platform. Starting with 6.1, HTTP Inputs can be configured to check if a specified header is present and has a specified value to authenticate HTTP-based ingestion. Unfortunately, even though in cases of a missing header or a wrong value the correct HTTP response (401) is returned, the message will be ingested nonetheless. To mitigate the vulnerability, disable http-based inputs and allow only authenticated pull-based inputs. This vulnerability is fixed in 6.1.9. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2025-30373, GHSA-q7g5-jq6p-6wvx
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-q7wf-bv57-hkg4 |
|
|
|---|
| Risk_score | 4.0 |
|---|
| Resource_url | http://public2.vulnerablecode.io/packages/pkg:maven/org.graylog2/graylog2-server@6.1.10 |
|---|