elog_project 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
一般的な弱点パターンには パス処理の欠陥、vendor risk memory corruption、vendor risk cross-site scripting, and vendor risk ssrf があり、vendor surface software deployment and vendor surface production workloads の利用場面で ファイル上書き、vendor impact memory corruption, and アプリケーションクラッシュ などのリスクが生じる可能性があります。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2025-64349 | ELOG allows an authenticated user to modify another user's profile. An attacker can edit a target user's email address, then request a password reset, and take control of the target account. By default, ELOG is not configured to allow self-registration. | 9119a7d8-5eab-497f-8521-727c672e3725 | 8.7 | 0.07% | 2025-10-31 | 2025-11-10 |
| CVE-2025-64348 | ELOG allows an authenticated user to modify or overwrite the configuration file, resulting in denial of service. If the execute facility is specifically enabled with the "-x" command line flag, attackers could execute OS commands on the host machine. By default, ELOG is not configured to allow shell commands or self-registration. | 9119a7d8-5eab-497f-8521-727c672e3725 | 7.1 | 0.06% | 2025-10-31 | 2026-04-26 |
| CVE-2025-62618 | ELOG allows an authenticated user to upload arbitrary HTML files. The HTML content is executed in the context of other users when they open the file. Because ELOG includes usernames and password hashes in certain HTTP requests, an attacker can obtain the target's credentials and replay them or crack the password hash offline. In ELOG 3.1.5-20251014 release, HTML files are rendered as plain text. | 9119a7d8-5eab-497f-8521-727c672e3725 | 8.6 | 0.05% | 2025-10-31 | 2025-11-10 |
| CVE-2019-3996 | ELOG 3.1.4-57bea22 and below can be used as an HTTP GET request proxy when unauthenticated remote attackers send crafted HTTP POST requests. | [email protected] | 6.5 | 3.50% | 2019-12-17 | 2024-11-21 |
| CVE-2019-3995 | ELOG 3.1.4-57bea22 and below is affected by a denial of service vulnerability due to a NULL pointer dereference. A remote unauthenticated attacker can crash the ELOG server by sending a crafted HTTP GET request. | [email protected] | 7.5 | 7.96% | 2019-12-17 | 2024-11-21 |
| CVE-2019-3994 | ELOG 3.1.4-57bea22 and below is affected by a denial of service vulnerability due to a use after free. A remote unauthenticated attacker can crash the ELOG server by sending multiple HTTP POST requests which causes the ELOG function retrieve_url() to use a freed variable. | [email protected] | 7.5 | 2.80% | 2019-12-17 | 2024-11-21 |
| CVE-2019-3993 | ELOG 3.1.4-57bea22 and below is affected by an information disclosure vulnerability. A remote unauthenticated attacker can recover a user's password hash by sending a crafted HTTP POST request. | [email protected] | 7.5 | 11.61% | 2019-12-17 | 2024-11-21 |
| CVE-2019-3992 | ELOG 3.1.4-57bea22 and below is affected by an information disclosure vulnerability. A remote unauthenticated attacker can access the server's configuration file by sending an HTTP GET request. Amongst the configuration data, the attacker may gain access to valid admin usernames and, in older versions of ELOG, passwords. | [email protected] | 7.5 | 4.03% | 2019-12-17 | 2024-11-21 |
| CVE-2016-6342 | elog 3.1.1 allows remote attackers to post data as any username in the logbook. | [email protected] | 7.5 | 0.23% | 2017-06-27 | 2026-05-13 |