CVE-2025-61930
BaseFortify
Publication date: 2025-10-10
Last updated on: 2025-10-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| emlog | emlog | to 2.5.19 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cross-Site Request Forgery (CSRF) in Emlog Pro versions 2.5.19 and earlier. It allows an attacker to trick a logged-in administrator into submitting a crafted POST request to the password change endpoint without their consent, resulting in the admin password being changed.
How can this vulnerability impact me? :
The impact of this vulnerability is account takeover of privileged users, specifically administrators. This can lead to unauthorized access and control over the website built with Emlog Pro.
What immediate steps should I take to mitigate this vulnerability?
Since no patched versions exist, immediate mitigation steps include restricting access to the Emlog Pro admin interface to trusted networks, implementing additional CSRF protections such as custom tokens or headers if possible, and educating administrators to avoid clicking on suspicious links while logged in. Monitoring for unusual password change requests and enforcing strong authentication methods can also help reduce risk.