Arbitrary File Upload Vulnerability in ELOG by Ritt
CVE-2025-62618

8.6HIGH

Key Information:

Vendor: Elog
Status: Elog
Vendor: CVE Published:; 31 October 2025

What is CVE-2025-62618?

The ELOG application allows authenticated users to upload arbitrary HTML files, which are executed in the context of other users upon file access. This poses a serious security risk as it can enable attackers to capture sensitive information, such as usernames and password hashes, present in HTTP requests. Through this exploitation, attackers can either replay the credentials or crack the password hashes offline, thereby compromising user accounts and system integrity. The issue is particularly notable in version 3.1.5-20251014, where HTML files are improperly rendered, escalating the vulnerability's impact.

Affected Version(s)

ELOG 0 < 3.1.5-20251014

ELOG 3.1.5-20251014

References

https://bitbucket.org/ritt/elog/commits/f81e5695c40997322...

https://elog.psi.ch/elog/download/RPMS/?C=M;O=D

https://bitbucket.org/ritt/elog/commits/7092ff64f6eb9521f...

CVSS V4

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 31, 2025
Vulnerability Reserved
Oct 16, 2025

Credit

Karl Meister, CISA

JSON

Elog

What is CVE-2025-62618?

Affected Version(s)

References

CVSS V4

Timeline

Credit