SB2026041016 - Multiple vulnerabilities in Emlog Pro

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Cross-site scripting (CVE-ID: N/A)

The vulnerability allows a remote attacker to execute arbitrary script code in the administrator's browser.

The vulnerability exists due to cross-site scripting and missing request validation in link management when handling a forged request that creates a crafted link entry and later rendering the icon field. A remote attacker can submit a specially crafted request to execute arbitrary script code in the administrator's browser.

Exploitation requires an administrator to be logged in and to open the link management page after the crafted entry has been created.

2) Cross-site scripting (CVE-ID: N/A)

The vulnerability allows a remote user to execute arbitrary script in an administrator context.

The vulnerability exists due to cross-site scripting in the article edit page when rendering stored custom field values. A remote user can submit specially crafted field_keys[] and field_values[] data to execute arbitrary script in an administrator context.

User interaction is required when an administrator or editor opens the article edit page.

Remediation

Install update from vendor's website.

References

• https://github.com/emlog/emlog/security/advisories/GHSA-pwhm-5qv9-2mw4
• https://github.com/emlog/emlog/security/advisories/GHSA-2f3c-php9-w968