Description
Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a method in Vega bypassing a previous Vega XSS mitigation.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Affected products
- Elastic / Kibana7.0.0 – 7.17.29
- Elastic / Kibana8.0.0 – 8.19.8
- Elastic / Kibana9.0.0 – 9.1.8
- Elastic / Kibana9.2.0 – 9.2.2