Emlog Pro Stored Cross-Site Scripting Vulnerability

A stored Cross-Site Scripting (XSS) vulnerability exists in Emlog Pro version 2.5.19, specifically within the email template configuration component at /admin/setting.php?action=mail. This vulnerability allows administrators to input unvalidated HTML, enabling persistent execution of JavaScript.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the affected administrator's browser. This could lead to the theft of session cookies and authentication tokens, unauthorized actions on behalf of the victim administrator, and potentially more severe attacks or system compromise.

Reproduction

To reproduce this vulnerability, navigate to the email template configuration page as an administrator. Inject malicious HTML, such as an image tag with an 'onerror' event, into the template field. Save the changes, which will store the injected code in the database. The JavaScript payload will execute automatically when the email template configuration page is accessed again.

Remediation

To address this vulnerability, Emlog Pro should implement proper sanitization of HTML input in the email template field, strip or encode dangerous HTML attributes and event handlers, establish a Content Security Policy (CSP) to block inline script execution, and validate user input against a whitelist of allowed HTML tags and attributes.