Description

Kibana versions 5.1.1 to 6.1.2 and 5.6.6 had a cross-site scripting (XSS) vulnerability via the colored fields formatter that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.

Remediation

References

http://www.securityfocus.com/bid/102734

https://discuss.elastic.co/t/elastic-stack-6-1-2-and-5-6-6-security-update/115763

Related Vulnerabilities

CVE-2020-8134 Vulnerability in npm package ghost

CVE-2020-2240 Vulnerability in maven package org.jenkins-ci.plugins:database

CVE-2020-15174 Vulnerability in maven package org.webjars.npm:electron

CVE-2018-1327 Vulnerability in maven package org.apache.struts:struts2-rest-plugin

CVE-2019-1003069 Vulnerability in maven package org.jenkins-ci.plugins:aqua-security-scanner

Severity

High

Classification

CWE-79 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Third Party Advisory VDB Entry Vendor Advisory