Graylog
CVE-2018-11650
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1Blast Radius
ecosystem impact- 4 maven packages depend on org.graylog2:graylog2-server (4 direct, 0 indirect)
Ecosystem-wide dependent count for version 2.4.4.
DescriptionNVD
Graylog before v2.4.4 has an XSS security issue with unescaped text in notifications, related to toastr and util/UserNotification.js.
AnalysisAI
Graylog before v2.4.4 has an XSS security issue with unescaped text in notifications, related to toastr and util/UserNotification.js. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Technical ContextAI
This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Graylog before v2.4.4 has an XSS security issue with unescaped text in notifications, related to toastr and util/UserNotification.js. Affected products include: Graylog.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.
Graylog is a free and open log management platform. Rated high severity (CVSS 8.8), this vulnerability is remotely explo
Graylog is a free and open log management platform. Rated high severity (CVSS 7.1), this vulnerability is remotely explo
Improper session invalidation in Graylog Web Interface 2.2.3 allows attackers to maintain access through expired session
A Session ID leak in the audit log in Graylog before 4.1.2 allows attackers to escalate privileges (to the access level
A Session ID leak in the DEBUG log file in Graylog before 4.1.2 allows attackers to escalate privileges (to the access l
Graylog is a free and open log management platform. Rated medium severity (CVSS 5.3), this vulnerability is remotely exp
Graylog is a free and open log management platform. In versions 6.2.0 to before 6.2.4 and 6.3.0-alpha.1 to before 6.3.0-
Graylog before 3.3.3 lacks SSL Certificate Validation for LDAP servers. Rated high severity (CVSS 8.1), this vulnerabili
Graylog is a free and open log management platform. Rated high severity (CVSS 8.0), this vulnerability is remotely explo
Graylog is a free and open log management platform. Rated low severity (CVSS 3.8), this vulnerability is remotely exploi
Graylog is a free and open log management platform. Rated low severity (CVSS 3.1), this vulnerability is remotely exploi
Graylog is a free and open log management platform. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today