GHSA-76vf-mpmx-777j
Vulnerability from github
Published
2025-05-07 15:27
Modified
2025-05-07 19:08
Severity ?
VLAI Severity ?
Summary
Graylog Allows Session Takeover via Insufficient HTML Sanitization
Details
Impact
It is possible to obtain user session cookies by submitting an HTML form as part of an Event Definition Remediation Step field. For this attack to succeed, the attacker needs a user account with permissions to create event definitions, while the user must have permissions to view alerts. Additionally, an active Input must be present on the Graylog server that is capable of receiving form data (e.g. a HTTP input, TCP raw or syslog etc).
Patches
Workarounds
None, as long as the relatively rare prerequisites are met.
Analysis provided by Fabian Yamaguchi - Whirly Labs (Pty) Ltd
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.0.13"
},
"package": {
"ecosystem": "Maven",
"name": "org.graylog2:graylog2-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.0.14"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.1.9"
},
"package": {
"ecosystem": "Maven",
"name": "org.graylog2:graylog2-server"
},
"ranges": [
{
"events": [
{
"introduced": "6.1.0"
},
{
"fixed": "6.1.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-46827"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2025-05-07T15:27:24Z",
"nvd_published_at": "2025-05-07T16:15:22Z",
"severity": "HIGH"
},
"details": "### Impact\nIt is possible to obtain user session cookies by submitting an HTML form as part of an Event Definition Remediation Step field. \nFor this attack to succeed, the attacker needs a user account with permissions to create event definitions, while the user must have permissions to view alerts. Additionally, an active Input must be present on the Graylog server that is capable of receiving form data (e.g. a HTTP input, TCP raw or syslog etc).\n\n### Patches\n\n### Workarounds\nNone, as long as the relatively rare prerequisites are met.\n\nAnalysis provided by Fabian Yamaguchi - Whirly Labs (Pty) Ltd",
"id": "GHSA-76vf-mpmx-777j",
"modified": "2025-05-07T19:08:39Z",
"published": "2025-05-07T15:27:24Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Graylog2/graylog2-server/security/advisories/GHSA-76vf-mpmx-777j"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46827"
},
{
"type": "PACKAGE",
"url": "https://github.com/Graylog2/graylog2-server"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Graylog Allows Session Takeover via Insufficient HTML Sanitization"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…