7.3

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-q9q2-3ppx-mwqf

EPSS Score

CWE

CWE-79

Published

5/7/2025

Updated

5/13/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-q9q2-3ppx-mwqf

GHSA-q9q2-3ppx-mwqf: Graylog Allows Stored Cross-Site Scripting via Files Plugin and API Browser

Impact

Two minor vulnerabilities were identified in the Graylog2 enterprise server, which can be combined to carry out a stored cross-site scripting attack. An attacker with the permission FILES_CREATE can exploit these vulnerabilities to upload arbitrary Javascript code to the Graylog2 server, which - upon requesting of the file by a user of the API browser - results in the execution of this Javascript code in the context of the Graylog frontend application. This enables the attacker to carry out authenticated API requests with the permissions of the logged-in user, thereby taking over the user session.

Patches

The generic API has been removed in 6.2.0 rendering the attack vector unreachable and additional escaping has been added.

Analysis provided by Fabian Yamaguchi - Whirly Labs (Pty) Ltd

(GitHub Advisory)

7.3

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-q9q2-3ppx-mwqf

EPSS Score

CWE

CWE-79

Published

5/7/2025

Updated

5/13/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.graylog2:graylog2-server	maven	< 6.2.0	6.2.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description points to two combined issues: file upload and API browser rendering. The provided commit directly addresses the API browser rendering part by adding escaping to response headers. The swagger-ui.js file is part of the API browser, and the change explicitly adds Handlebars.Utils.escapeExpression to sanitize the output. This strongly suggests that the lack of escaping in this specific part of the API browser was one of the vulnerabilities. The other part of the vulnerability (Files Plugin) is addressed by removing the generic API, which is a broader change not pinpointed to a single function in this commit but is mentioned in the advisory.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Two minor vuln*r**iliti*s w*r* i**nti*i** in t** *r*ylo** *nt*rpris* s*rv*r, w*i** **n ** *om*in** to **rry out * stor** *ross-sit* s*riptin* *tt**k. *n *tt**k*r wit* t** p*rmission `*IL*S_*R**T*` **n *xploit t**s* vuln*r**iliti*s to uplo*

Reasoning

T** vuln*r**ility **s*ription points to two *om*in** issu*s: *il* uplo** *n* *PI *rows*r r*n**rin*. T** provi*** *ommit *ir**tly ***r*ss*s t** *PI *rows*r r*n**rin* p*rt *y ***in* *s**pin* to r*spons* *****rs. T** `sw****r-ui.js` *il* is p*rt o* t**

7.3

Basic Information

Concerned about an active attack path?

GHSA-q9q2-3ppx-mwqf: Graylog Allows Stored Cross-Site Scripting via Files Plugin and API Browser

Impact

Patches

7.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI