CVE-2025-47786
📋 TL;DR
Emlog 2.5.13 has a stored XSS vulnerability where any registered user can inject malicious JavaScript via the 'perpage_num' parameter in comment.php. This JavaScript executes when other users view affected pages, potentially compromising their sessions or stealing credentials. All websites running Emlog 2.5.13 with user registration enabled are affected.
💻 Affected Systems
- Emlog
📦 What is this software?
Emlog by Emlog
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal admin credentials, take over the website, deface content, or distribute malware to visitors.
Likely Case
Session hijacking, credential theft from users, or defacement of comment sections.
If Mitigated
Limited impact if input validation and output encoding are implemented, restricting execution to non-sensitive contexts.
🎯 Exploit Status
Exploitation requires a registered user account; the vulnerability is straightforward to exploit once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://github.com/emlog/emlog/security/advisories/GHSA-82qc-9vg7-2c6c
Restart Required: No
Instructions:
Monitor the Emlog GitHub repository for security updates. Apply any official patch when released by the vendor.
🔧 Temporary Workarounds
Input Validation and Output Encoding
allManually sanitize the 'perpage_num' parameter in /admin/comment.php to allow only numeric values and apply HTML encoding on output.
Disable User Registration
allTemporarily disable new user registrations to prevent attackers from creating accounts to exploit this vulnerability.
🧯 If You Can't Patch
- Implement a web application firewall (WAF) with XSS protection rules to block malicious payloads.
- Regularly audit user accounts and monitor for suspicious activity in comment sections.
🔍 How to Verify
Check if Vulnerable:
Check if running Emlog version 2.5.13 by reviewing the software version in the admin panel or source code.Check Version:
Check the Emlog admin dashboard or review the version in the software's configuration files.Verify Fix Applied:
After applying a fix, test by attempting to inject JavaScript via the 'perpage_num' parameter and verify it is sanitized or blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /admin/comment.php with non-numeric 'perpage_num' values
- JavaScript payloads in database entries for 'admin_commend_perpage_num'
Network Indicators:
- Suspicious user registrations followed by comment.php requests with encoded payloads
SIEM Query:
source="web_logs" AND uri="/admin/comment.php" AND (param="perpage_num" AND value!~"^[0-9]+$")