CVE-2025-60447
📋 TL;DR
A stored XSS vulnerability in Emlog Pro 2.5.19 allows administrators to inject malicious HTML/JavaScript into email templates. This could lead to persistent script execution when other users view email templates. Only administrators can exploit this vulnerability directly, but all users viewing affected email templates could be impacted.
💻 Affected Systems
- Emlog Pro
📦 What is this software?
Emlog by Emlog
⚠️ Risk & Real-World Impact
Worst Case
An attacker with admin credentials could inject malicious scripts that steal session cookies, redirect users to phishing sites, or perform actions on behalf of authenticated users when they view email templates.
Likely Case
Malicious administrator or compromised admin account injects tracking scripts or credential-stealing payloads that affect users viewing email templates.
If Mitigated
With proper input validation and output encoding, the vulnerability is prevented, and only legitimate email template HTML is rendered.
🎯 Exploit Status
Exploitation requires administrator credentials to access /admin/setting.php?action=mail. Public proof-of-concept demonstrates HTML injection.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Unknown
Restart Required: No
Instructions:
1. Check for official patch from Emlog Pro developers. 2. Update to patched version when available. 3. Apply input validation and output encoding fixes to /admin/setting.php?action=mail component.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement server-side validation and sanitization of HTML input in email template configuration.
Modify /admin/setting.php to sanitize HTML input using libraries like HTMLPurifier
Content Security Policy
allImplement CSP headers to restrict script execution from untrusted sources.
Add Content-Security-Policy header to restrict script sources
🧯 If You Can't Patch
- Restrict administrator access to trusted personnel only
- Implement web application firewall rules to detect and block XSS payloads
🔍 How to Verify
Check if Vulnerable:
Access /admin/setting.php?action=mail as administrator and attempt to inject HTML/JavaScript into email template fields. Check if scripts execute when viewing templates.Check Version:
Check Emlog Pro version in admin panel or configuration filesVerify Fix Applied:
Test that HTML/JavaScript injection attempts are properly sanitized and do not execute when viewing email templates.📡 Detection & Monitoring
Log Indicators:
- Unusual HTML/JavaScript patterns in email template configuration requests
- Multiple failed login attempts to admin panel
Network Indicators:
- HTTP requests to /admin/setting.php with suspicious payloads
- Outbound connections to unknown domains from email template views
SIEM Query:
source="web_logs" AND (uri="/admin/setting.php" AND (payload CONTAINS "<script>" OR payload CONTAINS "javascript:"))