Veracode Vulnerability DatabaseVERACODE:25970Cross-site Scripting (XSS)
6.7 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L
4.6 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:H/Au:S/C:P/I:P/A:P
kibana is susceptible to cross-site scripting (XSS). The vulnerability allows a user with privilege to edit or create a region map visualization to inject malicious HTML script via region map visualization feature, leading to sensitive information leakage and perform malicious action on behalf of Kibana users who view the region map visualization.
References
discuss.elastic.co/t/elastic-stack-6-8-11-and-7-8-1-security-update/242786
github.com/elastic/kibana/commit/0bf552bd6baafe3053c68dd20af14a088065df69
github.com/elastic/kibana/commit/eb25b47a75b391bf2bcf236d02cb0afb22a9f226
www.elastic.co/community/security#CVE-2020-7017
www.elastic.co/community/security/
www.oracle.com//security-alerts/cpujul2021.html
Related
6.7 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L
4.6 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:H/Au:S/C:P/I:P/A:P