Vulnerabilities > Elastic > Medium

DATE CVE VULNERABILITY TITLE RISK
2017-06-16 CVE-2016-1000222 Argument Injection or Modification vulnerability in Elastic Logstash
Logstash prior to version 2.1.2, the CSV output can be attacked via engineered input that will create malicious formulas in the CSV data.
network
low complexity
elastic CWE-88
5.0
5.0
2017-06-16 CVE-2016-1000221 Information Exposure vulnerability in Elastic Logstash
Logstash prior to version 2.3.4, Elasticsearch Output plugin would log to file HTTP authorization headers which could contain sensitive information.
network
low complexity
elastic CWE-200
5.0
5.0
2017-06-16 CVE-2016-1000220 Cross-site Scripting vulnerability in Elastic Kibana
Kibana before 4.5.4 and 4.1.11 are vulnerable to an XSS attack that would allow an attacker to execute arbitrary JavaScript in users' browsers.
network
elastic CWE-79
4.3
4.3
2017-06-16 CVE-2016-1000219 Improper Authorization vulnerability in Elastic Kibana
Kibana before 4.5.4 and 4.1.11 when a custom output is configured for logging in, cookies and authorization headers could be written to the log files.
network
low complexity
elastic CWE-285
5.0
5.0
2017-06-16 CVE-2016-1000218 Cross-Site Request Forgery (CSRF) vulnerability in Elastic Kibana Reporting 2.4.0
Kibana Reporting plugin version 2.4.0 is vulnerable to a CSRF vulnerability that could allow an attacker to generate superfluous reports whenever an authenticated Kibana user navigates to a specially-crafted page.
network
elastic CWE-352
6.8
6.8
2017-06-16 CVE-2015-9056 Cross-site Scripting vulnerability in Elastic Kibana
Kibana versions prior to 4.1.3 and 4.2.1 are vulnerable to a XSS attack.
network
elastic CWE-79
4.3
4.3
2017-06-05 CVE-2017-8441 Information Exposure vulnerability in Elastic X-Pack
Elastic X-Pack Security versions prior to 5.4.1 and 5.3.3 did not always correctly apply Document Level Security to index aliases.
network
low complexity
elastic CWE-200
4.0
4.0
2017-06-05 CVE-2017-8440 Cross-site Scripting vulnerability in Elastic Kibana
Starting in version 5.3.0, Kibana had a cross-site scripting (XSS) vulnerability in the Discover page that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
network
elastic CWE-79
4.3
4.3
2017-06-05 CVE-2017-8439 Cross-site Scripting vulnerability in Elastic Kibana 5.4.0
Kibana version 5.4.0 was affected by a Cross Site Scripting (XSS) bug in the Time Series Visual Builder.
network
elastic CWE-79
4.3
4.3
2017-06-05 CVE-2017-8438 Improper Privilege Management vulnerability in Elastic X-Pack
Elastic X-Pack Security versions 5.0.0 to 5.4.0 contain a privilege escalation bug in the run_as functionality.
network
low complexity
elastic CWE-269
6.5
6.5