Main Vulnerability Database Vulnerabilities #VU31340

Cross-site scripting in Kibana - CVE-2018-3820

Published: March 30, 2018 / Updated: July 17, 2020

Vulnerability identifier: #VU31340

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: CVE-2018-3820

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Elastic Stack

Affected software:
Kibana

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Kibana versions after 6.1.0 and before 6.1.3 had a cross-site scripting (XSS) vulnerability in labs visualizations that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.

How to mitigate CVE-2018-3820

Install update from vendor's website.

Sources

https://discuss.elastic.co/t/elastic-stack-6-1-3-and-5-6-7-security-update/117683

Cross-site scripting in Kibana - CVE-2018-3820

Detailed vulnerability description

How to mitigate CVE-2018-3820

Sources

Please verify you're human