GHSA-q9q2-3ppx-mwqf: 
Java vulnerability analysis and mitigation

A high-severity stored cross-site scripting vulnerability was identified in Graylog2 enterprise server (GHSA-q9q2-3ppx-mwqf), affecting versions prior to 6.2.0. The vulnerability was discovered and published on May 7, 2025, by kroepke and analyzed by Fabian Yamaguchi from Whirly Labs (Pty) Ltd. The issue received a CVSS score of 7.3, indicating high severity (GitHub Advisory).

The vulnerability consists of two minor vulnerabilities that can be combined to execute a stored cross-site scripting attack. The attack vector is accessible through the network, with low attack complexity and requires low privileges. The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N, indicating network-based attack vector, low attack complexity, low privileges required, and user interaction required for exploitation (GitHub Advisory).

The vulnerability allows an attacker with FILES_CREATE permission to upload arbitrary Javascript code to the Graylog2 server. When a user accesses the file through the API browser, the malicious Javascript code executes in the context of the Graylog frontend application. This execution enables the attacker to perform authenticated API requests with the permissions of the logged-in user, effectively allowing session takeover (GitHub Advisory).

The vulnerability has been patched in Graylog version 6.2.0. The fix involved removing the generic API, which rendered the attack vector unreachable, and implementing additional escaping mechanisms. Users are advised to upgrade to version 6.2.0 or later to mitigate this vulnerability (GitHub Advisory).