CVE-2025-60447 in Pro
Summary
by MITRE • 10/03/2025
A stored Cross-Site Scripting (XSS) vulnerability has been discovered in Emlog Pro 2.5.19. The vulnerability exists in the email template configuration component located at /admin/setting.php?action=mail, which allows administrators to input HTML code that is not properly sanitized, leading to persistent JavaScript execution.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 10/03/2025
This stored cross-site scripting vulnerability in Emlog Pro 2.5.19 represents a critical security flaw that enables persistent malicious code execution through the email template configuration interface. The vulnerability specifically resides within the administrative panel at /admin/setting.php?action=mail where administrators can configure email templates. When administrators input HTML content into these template fields without proper sanitization, the system fails to validate or escape potentially dangerous script tags and executable code. This allows attackers who have gained administrative access or can manipulate the configuration to inject malicious JavaScript that persists in the system and executes whenever the email template is rendered or processed. The flaw falls under CWE-79 which specifically addresses cross-site scripting vulnerabilities where input is not properly validated or escaped before being rendered in web pages.
The operational impact of this vulnerability extends beyond simple script execution as it creates a persistent backdoor within the application's administrative interface. An attacker who can modify email templates can inject malicious JavaScript that may steal session cookies, redirect users to phishing sites, or even execute additional attacks through the compromised admin session. The stored nature of this vulnerability means that once exploited, the malicious code remains active until manually removed from the configuration, potentially allowing long-term persistence within the system. This type of vulnerability aligns with ATT&CK technique T1566.001 which covers credential harvesting through phishing and social engineering, as the malicious scripts could be designed to capture login credentials or other sensitive information from users interacting with the compromised email templates.
Security practitioners should implement immediate mitigations including input validation and output encoding for all user-supplied content within email template configuration fields. The system should enforce strict sanitization of HTML content to prevent script execution while maintaining legitimate template functionality. Additionally, implementing proper access controls and privilege separation ensures that only authorized administrators can modify email templates, reducing the attack surface. Regular security audits of configuration interfaces and input validation mechanisms should be conducted to identify similar vulnerabilities. The vulnerability demonstrates the importance of proper input sanitization in web applications and aligns with security best practices outlined in OWASP Top 10 A03:2021 which specifically addresses injection vulnerabilities including XSS. Organizations should also consider implementing Content Security Policy headers to provide additional protection against script execution even if similar vulnerabilities exist in other parts of the application.