CVE-2025-53923
BaseFortify
Publication date: 2025-07-16
Last updated on: 2025-07-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| emlog | emlog | to 2.5.17 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a cross-site scripting (XSS) issue in Emlog versions before pro-2.5.17. It allows remote attackers to inject arbitrary web scripts or HTML code via the 'keyword' parameter because the input is not properly sanitized. If an attacker convinces an admin user to click a specially crafted link, the attacker can execute any JavaScript code in the admin's browser.
How can this vulnerability impact me? :
The vulnerability can lead to execution of arbitrary JavaScript code in the admin's browser, potentially allowing attackers to hijack admin sessions, steal sensitive information, perform unauthorized actions, or compromise the website's integrity and security.
What immediate steps should I take to mitigate this vulnerability?
Since no patched versions exist as of the publication date, immediate mitigation steps include avoiding the use of the vulnerable 'keyword' parameter in URLs, educating users and administrators to not click on suspicious or untrusted links containing this parameter, and implementing web application firewall (WAF) rules to detect and block attempts to inject scripts via the 'keyword' parameter.