Emlog Stored Cross-Site Scripting Vulnerability in Comment Module

A stored cross-site scripting vulnerability has been identified in the Emlog comment module, prior to version 2.6.8. This issue arises from a bypass of URI scheme validation, allowing attackers to inject malicious JavaScript into comment links. The vulnerability is exploited by submitting comments that include `javascript:` pseudo-protocols, which are not properly sanitized before being rendered as clickable links. When these links are activated, the injected scripts execute, potentially leading to session hijacking or theft of sensitive information.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the comment.

Reproduction

To reproduce this vulnerability, submit a comment containing a URL formatted with a `javascript:` pseudo-protocol. The Emlog UBB parsing engine will render this as a link without proper validation, injecting the script into the `href` attribute. Once the comment is published, the script can be executed by clicking the link, especially in browsers like Firefox or Chrome when opened in a new window.

Remediation

Users are advised to update to Emlog version 2.6.8 or later, where this vulnerability has been patched.