How the CVE Works
The vulnerability combines two flaws in Graylog’s Files plugin and API browser. An attacker with `FILES_CREATE` permissions uploads a malicious JavaScript file via the Files plugin. When another user accesses the file through the API browser, the script executes in the victim’s browser session. This allows session hijacking, enabling unauthorized API calls with the victim’s privileges. The attack chain bypasses sanitization due to improper input validation in file handling and API response rendering.
DailyCVE Form
Platform: Graylog
Version: <6.2.0
Vulnerability: Stored XSS
Severity: High
Date: May 7, 2025
What Undercode Say:
Exploitation:
1. Upload Malicious File:
curl -X POST -H "Authorization: Bearer <TOKEN>" -F "[email protected]" https://graylog/api/files
2. Trigger Execution:
fetch('/api/files/malicious.js').then(r => eval(r.text()));
Protection:
1. Patch: Upgrade to Graylog ≥6.2.0.
2. Workaround: Restrict `FILES_CREATE` permissions.
3. Sanitization:
add_header Content-Security-Policy "default-src 'self'";
4. Log Monitoring:
grep "POST /api/files" /var/log/graylog/server.log
Detection:
import requests
response = requests.get('https://graylog/api/files')
if 'script' in response.text.lower():
print("XSS Detected!")
Mitigation Code:
// Server-side file type validation
if (file.mimetype !== 'text/plain') {
throw new Error("Invalid file type");
}
References:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
