CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-30372: Emlog Pro contains an SQL injection vulnerability.

7.7 CVSS

Description

Emlog is an open source website building system. Emlog Pro versions pro-2.5.7 and pro-2.5.8 contain an SQL injection vulnerability. `search_controller.php` does not use addslashes after urldecode, allowing the preceeding addslashes to be bypassed by URL double encoding. This could result in potential leakage of sensitive information from the user database. Version pro-2.5.9 fixes the issue.

Classification

CVE ID: CVE-2025-30372

CVSS Base Severity: HIGH

CVSS Base Score: 7.7

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P

Problem Types

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Affected Products

Vendor: emlog

Product: emlog

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 10.68% (scored less or equal to compared to others)

EPSS Date: 2025-04-25 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-30372
https://github.com/emlog/emlog/security/advisories/GHSA-w6xc-r6x5-m77c

Timeline

2025-03-28 15:40:16 UTC
CVE

Emlog Pro contains an SQL injection vulnerability.