CVSS: 7.2EPSS: 1%CPEs: 4EXPL: 0CVE-2020-7013 – kibana: Prototype pollution in TSVB could result in arbitrary code execution (ESA-2020-06)
https://notcve.org/view.php?id=CVE-2020-7013
03 Jun 2020 — Kibana versions before 6.8.9 and 7.7.0 contain a prototype pollution flaw in TSVB. An authenticated attacker with privileges to create TSVB visualizations could insert data that would cause Kibana to execute arbitrary code. This could possibly lead to an attacker executing code with the permissions of the Kibana process on the host system. Kibana versiones anteriores a 6.8.9 y 7.7.0, contienen un fallo de contaminación de prototipo en TSVB. Un atacante autenticado con privilegios para crear visualizaciones ... • https://www.elastic.co/community/security • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2019-7621
https://notcve.org/view.php?id=CVE-2019-7621
18 Dec 2019 — Kibana versions before 6.8.6 and 7.5.1 contain a cross site scripting (XSS) flaw in the coordinate and region map visualizations. An attacker with the ability to create coordinate map visualizations could create a malicious visualization. If another Kibana user views that visualization or a dashboard containing the visualization it could execute JavaScript in the victim�s browser. Las versiones de Kibana anteriores a 6.8.6 y 7.5.1 contienen un defecto de secuencias de comandos de sitios cruzados (XSS) en ... • https://discuss.elastic.co/t/elastic-stack-6-8-6-and-7-5-1-security-update/212390 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.9EPSS: 9%CPEs: 2EXPL: 1CVE-2019-7616
https://notcve.org/view.php?id=CVE-2019-7616
30 Jul 2019 — Kibana versions before 6.8.2 and 7.2.1 contain a server side request forgery (SSRF) flaw in the graphite integration for Timelion visualizer. An attacker with administrative Kibana access could set the timelion:graphite.url configuration option to an arbitrary URL. This could possibly lead to an attacker accessing external URL resources as the Kibana process on the host system. Kibana versiones anteriores a 6.8.2 y 7.2.1, contienen un fallo de tipo server side request forgery (SSRF) en la integración de gra... • https://github.com/random-robbie/CVE-2019-7616 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2019-7608 – kibana: Cross-site scripting vulnerability permits perform destructive actions on behalf of other Kibana users
https://notcve.org/view.php?id=CVE-2019-7608
25 Mar 2019 — Kibana versions before 5.6.15 and 6.6.1 had a cross-site scripting (XSS) vulnerability that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. Las versiones anteriores a las 5.6.15 y 6.6.1 de Kibana presentan una vulnerabilidad de Cross-Site Scripting (XSS) que podría permitir a un atacante obtener información sensible o realizar acciones destructivas en nombre de otros usuarios de Kibana. Red Hat OpenShift Container Platform is Red H... • https://access.redhat.com/errata/RHBA-2019:2824 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.3EPSS: 4%CPEs: 2EXPL: 0CVE-2019-7610 – kibana: Audit logging Remote Code Execution issue
https://notcve.org/view.php?id=CVE-2019-7610
25 Mar 2019 — Kibana versions before 6.6.1 contain an arbitrary code execution flaw in the security audit logger. If a Kibana instance has the setting xpack.security.audit.enabled set to true, an attacker could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system. Kibana anterior a versión 6.6.1, contienen un fallo de ejecución de código arbitrario en el registrador de auditoría de seguri... • https://access.redhat.com/errata/RHBA-2019:2824 • CWE-20: Improper Input Validation CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 94%CPEs: 4EXPL: 12CVE-2019-7609 – Kibana Arbitrary Code Execution
https://notcve.org/view.php?id=CVE-2019-7609
25 Mar 2019 — Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system. Las versiones anteriores a las 5.6.15 y 6.6.1 de Kibana contienen un error de ejecución de código arbitrario en el visualizador Timelion. Un atacante con ac... • https://packetstorm.news/files/id/174569 • CWE-20: Improper Input Validation CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2018-17245
https://notcve.org/view.php?id=CVE-2018-17245
20 Dec 2018 — Kibana versions 4.0 to 4.6, 5.0 to 5.6.12, and 6.0 to 6.4.2 contain an error in the way authorization credentials are used when generating PDF reports. If a report requests external resources plaintext credentials are included in the HTTP request that could be recovered by an external resource provider. Kibana, de la versión 4.0 a la 4.6, de la 5.0 a la 5.6.12 y de la 6.0 a la 6.4.2, contiene un error en la forma en la que las credenciales de autorización se emplean al generar informes en PDF. Si un informe... • https://discuss.elastic.co/t/elastic-stack-6-4-3-and-5-6-13-security-update/155594 • CWE-201: Insertion of Sensitive Information Into Sent Data CWE-522: Insufficiently Protected Credentials •
CVSS: 9.8EPSS: 93%CPEs: 3EXPL: 1CVE-2018-17246
https://notcve.org/view.php?id=CVE-2018-17246
20 Dec 2018 — Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. An attacker with access to the Kibana Console API could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system. Kibana, en versiones anteriores a la 6.4.3 y la 5.6.13, contiene un error de inclusión de archivos arbitrarios en el plugin Console. Un atacante con acceso a la AP... • https://github.com/mpgn/CVE-2018-17246 • CWE-73: External Control of File Name or Path CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2018-3819
https://notcve.org/view.php?id=CVE-2018-3819
30 Mar 2018 — The fix in Kibana for ESA-2017-23 was incomplete. With X-Pack security enabled, Kibana versions before 6.1.3 and 5.6.7 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website. La solución en Kibana para ESA-2017-23 era incompleta. Con la seguridad X-Pack habilitada, las versiones anteriores a la 6.1.2 y 5.6.7 de Kibana tienen una vulnerabilidad de redirección abierta en la página de inicio de sesión que permitiría que un atac... • https://discuss.elastic.co/t/elastic-stack-6-1-3-and-5-6-7-security-update/117683 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-3818
https://notcve.org/view.php?id=CVE-2018-3818
30 Mar 2018 — Kibana versions 5.1.1 to 6.1.2 and 5.6.6 had a cross-site scripting (XSS) vulnerability via the colored fields formatter that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. Las versiones 5.1.1 a 6.1.2 y 5.6.6 de Kibana presentan una vulnerabilidad Cross-Site Scripting (XSS) a través del formateador de los campos de color que podrían permitir a un atacante obtener información sensible o realizar acciones destructivas en nombre de o... • http://www.securityfocus.com/bid/102734 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •