CVE-2025-61930

Emlog Pro has CSRF issue that Enables Admin Password Reset

CVSS 8.1 HIGHEPSS 0.2%CWE-352

Vexday Risk Score

21Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS 8.1EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

10 out 2025Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

Emlog is an open source website building system. Emlog Pro versions 2.5.19 and earlier are vulnerable to Cross‑Site Request Forgery (CSRF) on the password change endpoint. An attacker can trick a logged‑in administrator into submitting a crafted POST request to change the admin password without consent. Impact is account takeover of privileged users. Severity: High. As of time of publication, no known patched versions exist.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Produtos afetados

emlog · emlog

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://github.com/emlog/emlog/security/advisories/GHSA-m2qw-9wjx-qxm2