Main Vulnerability Database Vulnerabilities #VU37771

Cross-site scripting in Kibana - CVE-2017-11481

Published: December 8, 2017 / Updated: August 8, 2020

Vulnerability identifier: #VU37771

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: CVE-2017-11481

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Elastic Stack

Affected software:
Kibana

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Kibana versions prior to 6.0.1 and 5.6.5 had a cross-site scripting (XSS) vulnerability via URL fields that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.

How to mitigate CVE-2017-11481

Install update from vendor's website.

Sources

https://discuss.elastic.co/t/kibana-6-0-1-and-5-6-5-security-update/110571

Cross-site scripting in Kibana - CVE-2017-11481

Detailed vulnerability description

How to mitigate CVE-2017-11481

Sources

Please verify you're human