CVE-2018-3821 - Cross-Site Scripting (XSS) vulnerability in Elasticsearch Kibana

Publication

2018-03-30

Last modification

2018-04-19

Summary

Kibana versions after 5.1.1 and before 5.6.7 and 6.1.3 had a cross-site scripting (XSS) vulnerability in the tag cloud visualization that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.

Classification

CWE-79 - Cross-Site Scripting (XSS)

Risk level (CVSS AV:N/AC:M/Au:N/C:N/I:P/A:N)

Medium

4.3

Access Vector

  • Network
  • Adjacent Network
  • Local

Access Complexity

  • Low
  • Medium
  • High

Authentication

  • None
  • Single
  • Multiple

Confident. Impact

  • Complete
  • Partial
  • None

Integrity Impact

  • Complete
  • Partial
  • None

Affected Products

Vendor Product Versions
Elasticsearch Kibana  6.1.0 , 5.3.1 , 5.6.2 , 5.6.3 , 5.3.0 , 5.4.0 , 5.4.1 , 5.6.0 , 5.5.1 , 5.6.6 , 5.3.3 , 6.1.1 , 5.6.5 , 5.2.0 , 6.0.0 , 5.4.3 , 5.3.2 , 5.5.0 , 5.2.2 , 5.4.2 , 5.1.2 , 5.5.2 , 5.6.4 , 5.2.1 , 5.6.1 , 6.0.1 , 6.1.2 , 5.5.3