Elog Project Elog vulnerabilities
9 known vulnerabilities affecting elog_project/elog.
Total CVEs
9
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH8MEDIUM1
Vulnerabilities
Page 1 of 1
CVE-2019-3993P3HIGHCVSS 7.5≤ 3.1.4-57bea22vELOG 3.1.4-57bea22 and below2019-12-17
CVE-2019-3993 [HIGH] CWE-200 CVE-2019-3993: ELOG 3.1.4-57bea22 and below is affected by an information disclosure vulnerability. A remote unauth
ELOG 3.1.4-57bea22 and below is affected by an information disclosure vulnerability. A remote unauthenticated attacker can recover a user's password hash by sending a crafted HTTP POST request.
nvd
CVE-2019-3995P3HIGHCVSS 7.5≤ 3.1.4-57bea22vELOG 3.1.4-57bea22 and below2019-12-17
CVE-2019-3995 [HIGH] CWE-476 CVE-2019-3995: ELOG 3.1.4-57bea22 and below is affected by a denial of service vulnerability due to a NULL pointer
ELOG 3.1.4-57bea22 and below is affected by a denial of service vulnerability due to a NULL pointer dereference. A remote unauthenticated attacker can crash the ELOG server by sending a crafted HTTP GET request.
nvd
CVE-2025-64349P3HIGHCVSS 8.8≤ 3.1.5-202510142025-10-31
CVE-2025-64349 [HIGH] CWE-862 CVE-2025-64349: ELOG allows an authenticated user to modify another user's profile. An attacker can edit a target us
ELOG allows an authenticated user to modify another user's profile. An attacker can edit a target user's email address, then request a password reset, and take control of the target account. By default, ELOG is not configured to allow self-registration.
nvd
CVE-2025-62618P3HIGHCVSS 8.0fixed in 3.1.5-202510142025-10-31
CVE-2025-62618 [HIGH] CWE-79 CVE-2025-62618: ELOG allows an authenticated user to upload arbitrary HTML files. The HTML content is executed in th
ELOG allows an authenticated user to upload arbitrary HTML files. The HTML content is executed in the context of other users when they open the file. Because ELOG includes usernames and password hashes in certain HTTP requests, an attacker can obtain the target's credentials and replay them or crack the password hash offline. In ELOG 3.1.5-20251014 rel
nvd
CVE-2019-3992P3HIGHCVSS 7.5≤ 3.1.4-57bea22vELOG 3.1.4-57bea22 and below2019-12-17
CVE-2019-3992 [HIGH] CWE-200 CVE-2019-3992: ELOG 3.1.4-57bea22 and below is affected by an information disclosure vulnerability. A remote unauth
ELOG 3.1.4-57bea22 and below is affected by an information disclosure vulnerability. A remote unauthenticated attacker can access the server's configuration file by sending an HTTP GET request. Amongst the configuration data, the attacker may gain access to valid admin usernames and, in older versions of ELOG, passwords.
nvd
CVE-2019-3996P3MEDIUMCVSS 6.5≤ 3.1.4-57bea22vELOG 3.1.4-57bea22 and below2019-12-17
CVE-2019-3996 [MEDIUM] CWE-441 CVE-2019-3996: ELOG 3.1.4-57bea22 and below can be used as an HTTP GET request proxy when unauthenticated remote at
ELOG 3.1.4-57bea22 and below can be used as an HTTP GET request proxy when unauthenticated remote attackers send crafted HTTP POST requests.
nvd
CVE-2019-3994P3HIGHCVSS 7.5≤ 3.1.4-57bea22vELOG 3.1.4-57bea22 and below2019-12-17
CVE-2019-3994 [HIGH] CWE-416 CVE-2019-3994: ELOG 3.1.4-57bea22 and below is affected by a denial of service vulnerability due to a use after fre
ELOG 3.1.4-57bea22 and below is affected by a denial of service vulnerability due to a use after free. A remote unauthenticated attacker can crash the ELOG server by sending multiple HTTP POST requests which causes the ELOG function retrieve_url() to use a freed variable.
nvd
CVE-2016-6342P3HIGHCVSS 7.5v3.1.12017-06-27
CVE-2016-6342 [HIGH] CWE-284 CVE-2016-6342: elog 3.1.1 allows remote attackers to post data as any username in the logbook.
elog 3.1.1 allows remote attackers to post data as any username in the logbook.
nvd
CVE-2025-64348P3HIGHCVSS 7.1≤ 3.1.5-202510142025-10-31
CVE-2025-64348 [HIGH] CWE-862 CVE-2025-64348: ELOG allows an authenticated user to modify or overwrite the configuration file, resulting in denial
ELOG allows an authenticated user to modify or overwrite the configuration file, resulting in denial of service. If the execute facility is specifically enabled with the "-x" command line flag, attackers could execute OS commands on the host machine. By default, ELOG is not configured to allow shell commands or self-registration.
nvd