fkie_nvd - fkie_cve-2017-11481

fkie_cve-2017-11481

Vulnerability from fkie_nvd

Published

2017-12-08 18:29

Modified

2025-04-20 01:37

Severity ?

6.1 (Medium) - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Summary

Kibana versions prior to 6.0.1 and 5.6.5 had a cross-site scripting (XSS) vulnerability via URL fields that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.

References

	URL	Tags
	bressers@elastic.co	https://discuss.elastic.co/t/kibana-6-0-1-and-5-6-5-security-update/110571	Vendor Advisory
	af854a3a-2127-422b-91ae-364da2661108	https://discuss.elastic.co/t/kibana-6-0-1-and-5-6-5-security-update/110571	Vendor Advisory

Impacted products

Vendor	Product	Version
elastic	kibana	5.6.0
elastic	kibana	5.6.1
elastic	kibana	5.6.2
elastic	kibana	5.6.3
elastic	kibana	5.6.4
elastic	kibana	6.0.0
elastic	kibana	6.0.0
elastic	kibana	6.0.0
elastic	kibana	6.0.0
elastic	kibana	6.0.0
elastic	kibana	6.0.0
elastic	kibana	6.0.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:elastic:kibana:5.6.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "5C22151C-45AD-44DB-B3E0-178BC93CC8DB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:elastic:kibana:5.6.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "3EAB4F2B-26A1-4F1C-BA4D-1B1D2DAFC8EC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:elastic:kibana:5.6.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "5EEC2D6D-D18A-4E5A-999F-46101D21EE6E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:elastic:kibana:5.6.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "92FED321-3988-4E5E-993B-C205F772D41F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:elastic:kibana:5.6.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "29554EC2-EC90-4EDA-B3BB-705BDF446A04",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:elastic:kibana:6.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "E7A7247C-F032-4A8A-A854-9119020AEA53",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:elastic:kibana:6.0.0:alpha1:*:*:*:*:*:*",
              "matchCriteriaId": "9FC1C2A2-509F-4C21-9D82-862146EA6B83",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:elastic:kibana:6.0.0:alpha2:*:*:*:*:*:*",
              "matchCriteriaId": "DC9A41CB-1852-4BF2-AC39-A92E2EAAB9D7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:elastic:kibana:6.0.0:beta1:*:*:*:*:*:*",
              "matchCriteriaId": "804F2D2F-9A4A-4179-B774-14B7B293C6F7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:elastic:kibana:6.0.0:beta2:*:*:*:*:*:*",
              "matchCriteriaId": "DC11C2B1-EB71-4D19-A592-99452D4E5285",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:elastic:kibana:6.0.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "8AAE3FEE-A2F1-41C8-9C38-ECA9B3203B44",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:elastic:kibana:6.0.0:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "335B93D1-893F-494A-8F0D-176585DDD53A",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Kibana versions prior to 6.0.1 and 5.6.5 had a cross-site scripting (XSS) vulnerability via URL fields that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users."
    },
    {
      "lang": "es",
      "value": "Las versiones anteriores a la 6.0.1 y 5.6.5 de Kibana presentan una vulnerabilidad de tipo Cross-Site Scripting (XSS) en campos URL que podr\u00edan permitir a un atacante obtener informaci\u00f3n sensible o realizar acciones destructivas en nombre de otros usuarios de Kibana."
    }
  ],
  "id": "CVE-2017-11481",
  "lastModified": "2025-04-20T01:37:25.860",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2017-12-08T18:29:00.240",
  "references": [
    {
      "source": "bressers@elastic.co",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://discuss.elastic.co/t/kibana-6-0-1-and-5-6-5-security-update/110571"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://discuss.elastic.co/t/kibana-6-0-1-and-5-6-5-security-update/110571"
    }
  ],
  "sourceIdentifier": "bressers@elastic.co",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "bressers@elastic.co",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CVE-2017-11481 (GCVE-0-2017-11481)

Vulnerability from cvelistv5

Published

2017-12-08 18:00

Modified

2024-08-05 18:12

Severity ?

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Summary

References

URL

Tags

https://discuss.elastic.co/t/kibana-6-0-1-and-5-6-5-security-update/110571

x_refsource_CONFIRM