ELOG File Upload Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in ELOG versions prior to 3.1.5-20251014. This issue allows authenticated users to upload arbitrary HTML files, which are then executed in the context of other users when the file is opened. The vulnerability is exacerbated by the fact that ELOG includes usernames and password hashes in certain HTTP requests. As a result, an attacker could capture these credentials, either to replay them or to crack the password hashes offline. In the 3.1.5-20251014 release, HTML files are rendered as plain text, mitigating the cross-site scripting risk but not addressing the underlying issue of file upload.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where uploaded HTML files are executed in the context of users who open them. Additionally, the vulnerability could lead to credential theft, as ELOG transmits usernames and password hashes in some HTTP requests.

Reproduction

To reproduce this vulnerability, an authenticated user can upload an HTML file containing malicious script elements. Once uploaded, the file can be accessed by other users, who will unwittingly execute the embedded scripts. This process can be automated with a simple script that uploads the HTML file and then accesses it after a short delay.

Remediation

Users can update to ELOG version 3.1.5-20251014, where this vulnerability has been fixed.