CVE-2016-1000220
published 2017-06-16CVE-2016-1000220: Kibana before 4.5.4 and 4.1.11 are vulnerable to an XSS attack that would allow an attacker to execute arbitrary JavaScript in users' browsers.
PriorityP425medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EPSS
1.15%
62.9th percentile
Kibana before 4.5.4 and 4.1.11 are vulnerable to an XSS attack that would allow an attacker to execute arbitrary JavaScript in users' browsers.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| elastic | kibana | >= 4.1.0 < 4.1.11 | 4.1.11 |
| elastic | kibana | >= 4.5.0 < 4.5.4 | 4.5.4 |
CVSS provenance
nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vendor_redhat6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
kibana: XSS vulnerability ESA-2016-03
vendor_redhat·2016-08-03·CVSS 6.1
CVE-2016-1000220 [MEDIUM] CWE-79 kibana: XSS vulnerability ESA-2016-03
kibana: XSS vulnerability ESA-2016-03
Kibana before 4.5.4 and 4.1.11 are vulnerable to an XSS attack that would allow an attacker to execute arbitrary JavaScript in users' browsers.
A cross-site scripting (XSS) flaw was found in Kibana. A remote attacker could use this flaw to inject arbitrary web script into pages served to other users.
Package: kibana (Red Hat Enterprise Linux OpenStack Platform 7 (Kilo) Operational Tools) - Not affected
Package: kibana (Red Hat OpenStack Platform 8 (Liberty) Operational Tools) - Not affected
Package: kibana (Red Hat OpenStack Platform 9 (Mitaka) Operational Tools) - Not affected
GHSA
GHSA-v2wv-8cq6-22qw: Kibana before 4
ghsa_unreviewed·2022-05-13
CVE-2016-1000220 [MEDIUM] CWE-79 GHSA-v2wv-8cq6-22qw: Kibana before 4
Kibana before 4.5.4 and 4.1.11 are vulnerable to an XSS attack that would allow an attacker to execute arbitrary JavaScript in users' browsers.
No detection rules found.
No public exploits indexed.
2017-06-16
Published