cvelistv5 - cve-2025-61930

CVE-2025-61930 (GCVE-0-2025-61930)

Vulnerability from cvelistv5

Published

2025-10-10 20:01

Modified

2025-10-10 20:44

Severity ?

8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CWE

CWE-352 - Cross-Site Request Forgery (CSRF)

Summary

Emlog is an open source website building system. Emlog Pro versions 2.5.19 and earlier are vulnerable to Cross‑Site Request Forgery (CSRF) on the password change endpoint. An attacker can trick a logged‑in administrator into submitting a crafted POST request to change the admin password without consent. Impact is account takeover of privileged users. Severity: High. As of time of publication, no known patched versions exist.

References

URL

Tags

security-advisories@github.com

https://github.com/emlog/emlog/security/advisories/GHSA-m2qw-9wjx-qxm2

Exploit, Mitigation, Vendor Advisory

Impacted products

	Vendor	Product	Version
	emlog	emlog	Version: <= pro-2.5.19

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-61930",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-10T20:44:39.648845Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-10T20:44:48.803Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "emlog",
          "vendor": "emlog",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= pro-2.5.19"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Emlog is an open source website building system. Emlog Pro versions 2.5.19 and earlier are vulnerable to Cross\u2011Site Request Forgery (CSRF) on the password change endpoint. An attacker can trick a logged\u2011in administrator into submitting a crafted POST request to change the admin password without consent. Impact is account takeover of privileged users. Severity: High. As of time of publication, no known patched versions exist."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-352",
              "description": "CWE-352: Cross-Site Request Forgery (CSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-10T20:01:42.182Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/emlog/emlog/security/advisories/GHSA-m2qw-9wjx-qxm2",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/emlog/emlog/security/advisories/GHSA-m2qw-9wjx-qxm2"
        }
      ],
      "source": {
        "advisory": "GHSA-m2qw-9wjx-qxm2",
        "discovery": "UNKNOWN"
      },
      "title": "Emlog Pro has CSRF issue that Enables Admin Password Reset"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-61930",
    "datePublished": "2025-10-10T20:01:42.182Z",
    "dateReserved": "2025-10-03T22:21:59.617Z",
    "dateUpdated": "2025-10-10T20:44:48.803Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-61930\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-10-10T20:15:38.803\",\"lastModified\":\"2025-10-20T16:47:37.100\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Emlog is an open source website building system. Emlog Pro versions 2.5.19 and earlier are vulnerable to Cross\u2011Site Request Forgery (CSRF) on the password change endpoint. An attacker can trick a logged\u2011in administrator into submitting a crafted POST request to change the admin password without consent. Impact is account takeover of privileged users. Severity: High. As of time of publication, no known patched versions exist.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":5.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-352\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:emlog:emlog:*:*:*:*:pro:*:*:*\",\"versionEndIncluding\":\"2.5.19\",\"matchCriteriaId\":\"72E4E5DE-A4A2-4326-B8EE-71690D75F7AE\"}]}]}],\"references\":[{\"url\":\"https://github.com/emlog/emlog/security/advisories/GHSA-m2qw-9wjx-qxm2\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-61930\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-10-10T20:44:39.648845Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-10-10T20:44:44.972Z\"}}], \"cna\": {\"title\": \"Emlog Pro has CSRF issue that Enables Admin Password Reset\", \"source\": {\"advisory\": \"GHSA-m2qw-9wjx-qxm2\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"emlog\", \"product\": \"emlog\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= pro-2.5.19\"}]}], \"references\": [{\"url\": \"https://github.com/emlog/emlog/security/advisories/GHSA-m2qw-9wjx-qxm2\", \"name\": \"https://github.com/emlog/emlog/security/advisories/GHSA-m2qw-9wjx-qxm2\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Emlog is an open source website building system. Emlog Pro versions 2.5.19 and earlier are vulnerable to Cross\\u2011Site Request Forgery (CSRF) on the password change endpoint. An attacker can trick a logged\\u2011in administrator into submitting a crafted POST request to change the admin password without consent. Impact is account takeover of privileged users. Severity: High. As of time of publication, no known patched versions exist.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-352\", \"description\": \"CWE-352: Cross-Site Request Forgery (CSRF)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-10-10T20:01:42.182Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-61930\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-10-10T20:44:48.803Z\", \"dateReserved\": \"2025-10-03T22:21:59.617Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-10-10T20:01:42.182Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

fkie_cve-2025-61930

Vulnerability from fkie_nvd