CVE-2025-62717

Emlog is an open source website building system. In version 2.5.23, Emlog Pro is vulnerable to a session verification code error due to a clearing logic error. This means the verification code could be reused anywhere an email verification code is required. This issue has been fixed in commit 1f726df.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/emlog/emlog/commit/1f726df0ce56a1bc6e8225dd95389974173bd0c0	Patch
https://github.com/emlog/emlog/security/advisories/GHSA-wwj4-ppfj-hcm6	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:emlog:emlog:2.5.23:*:*:*:pro:*:*:*

History

28 Oct 2025, 14:15

Type	Values Removed	Values Added
First Time		Emlog Emlog emlog
References	~~() https://github.com/emlog/emlog/commit/1f726df0ce56a1bc6e8225dd95389974173bd0c0 -~~	() https://github.com/emlog/emlog/commit/1f726df0ce56a1bc6e8225dd95389974173bd0c0 - Patch
References	~~() https://github.com/emlog/emlog/security/advisories/GHSA-wwj4-ppfj-hcm6 -~~	() https://github.com/emlog/emlog/security/advisories/GHSA-wwj4-ppfj-hcm6 - Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.1
CWE		NVD-CWE-noinfo
CPE		cpe:2.3:a:emlog:emlog:2.5.23::::pro:::

24 Oct 2025, 21:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-10-24 21:16

Updated : 2025-10-28 14:15

NVD link : CVE-2025-62717

Mitre link : CVE-2025-62717

CVE.ORG link : CVE-2025-62717

JSON object : View

Products Affected

emlog

emlog

CWE

CWE-287

Improper Authentication

NVD-CWE-noinfo

{"id": "CVE-2025-62717", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 2.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "UNREPORTED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-10-24T21:16:12.963", "references": [{"url": "https://github.com/emlog/emlog/commit/1f726df0ce56a1bc6e8225dd95389974173bd0c0", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/emlog/emlog/security/advisories/GHSA-wwj4-ppfj-hcm6", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-287"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Emlog is an open source website building system. In version 2.5.23, Emlog Pro is vulnerable to a session verification code error due to a clearing logic error. This means the verification code could be reused anywhere an email verification code is required. This issue has been fixed in commit 1f726df."}], "lastModified": "2025-10-28T14:15:50.700", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:emlog:emlog:2.5.23:*:*:*:pro:*:*:*", "vulnerable": true, "matchCriteriaId": "CBBD3D75-C2B3-4727-9B9E-6408956E4ADB"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}