CVE-2017-11479 — Cross-site Scripting in Kibana

CWE-79 — Cross-site Scripting5 documents5 sources

Severity

6.1MEDIUMNVD

EPSS

0.3%

top 47.35%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Elastic Kibana Elasticsearch Kibana

Timeline

PublishedSep 29

Latest updateMay 13

Description

Kibana versions prior to 5.6.1 had a cross-site scripting (XSS) vulnerability in Timelion that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶NVDelastic/kibana21 versions+20

▶NVDelasticsearch/kibana5.1.0

🔴Vulnerability Details

GHSA

GHSA-3chc-mx35-j8gg: Kibana versions prior to 5↗2022-05-13

▶

CVEList

CVE-2017-11479: Kibana versions prior to 5↗2017-09-28

▶

📋Vendor Advisories

Red Hat

kibana: XSS vulnerability in Timelion could allow an attacker obtain sensitive information or perform user actions↗2017-09-28

▶

💬Community

Bugzilla

CVE-2017-11479 kibana: XSS vulnerability in Timelion could allow an attacker obtain sensitive information or perform user actions↗2018-01-11

▶