CVSS: 6.1EPSS: 0%CPEs: 12EXPL: 0CVE-2017-11481
https://notcve.org/view.php?id=CVE-2017-11481
Kibana versions prior to 6.0.1 and 5.6.5 had a cross-site scripting (XSS) vulnerability via URL fields that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. Las versiones anteriores a la 6.0.1 y 5.6.5 de Kibana presentan una vulnerabilidad de tipo Cross-Site Scripting (XSS) en campos URL que podrían permitir a un atacante obtener información sensible o realizar acciones destructivas en nombre de otros usuarios de Kibana. • https://discuss.elastic.co/t/kibana-6-0-1-and-5-6-5-security-update/110571 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 15EXPL: 0CVE-2017-8448
https://notcve.org/view.php?id=CVE-2017-8448
An error was found in the permission model used by X-Pack Alerting 5.0.0 to 5.6.0 whereby users mapped to certain built-in roles could create a watch that results in that user gaining elevated privileges. Existe un error en el modelo de permisos utilizado en X-Pack Alerting desde la versión 5.0.0 hasta la 5.6.0, en donde los usuarios que tienen integrados ciertos roles podrían crear un "watch" que haría que esos usuarios obtengan privilegios elevados. • https://discuss.elastic.co/t/x-pack-alerting-and-kibana-5-6-1-security-update/101884 • CWE-269: Improper Privilege Management CWE-284: Improper Access Control •
CVSS: 6.5EPSS: 0%CPEs: 7EXPL: 0CVE-2017-8447
https://notcve.org/view.php?id=CVE-2017-8447
An error was found in the X-Pack Security 5.3.0 to 5.5.2 privilege enforcement. If a user has either 'delete' or 'index' permissions on an index in a cluster, they may be able to issue both delete and index requests against that index. Existe un error en torno al cumplimiento de los privilegios en X-Pack Security desde la versión 5.3.0 hasta la 5.5.2 Si un usuario tiene los permisos de "delete" o "index" en un índice en un clúster, podría enviar las peticiones de delete e index contra el índice. • https://discuss.elastic.co/t/x-pack-security-5-6-0-and-5-5-3-security-update/100089 • CWE-269: Improper Privilege Management CWE-284: Improper Access Control •
CVSS: 6.1EPSS: 0%CPEs: 22EXPL: 0CVE-2017-11479
https://notcve.org/view.php?id=CVE-2017-11479
Kibana versions prior to 5.6.1 had a cross-site scripting (XSS) vulnerability in Timelion that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. Las versiones anteriores a la 5.6.1 de Kibana presentan una vulnerabilidad de tipo Cross-Site Scripting (XSS) en Timelion que podría permitir a un atacante obtener información sensible o realizar acciones destructivas en nombre de otros usuarios de Kibana. • http://www.openwall.com/lists/oss-security/2019/10/24/1 http://www.openwall.com/lists/oss-security/2019/10/29/3 https://discuss.elastic.co/t/x-pack-alerting-and-kibana-5-6-1-security-update/101884 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-8445
https://notcve.org/view.php?id=CVE-2017-8445
An error was found in the X-Pack Security TLS trust manager for versions 5.0.0 to 5.5.1. If reloading the trust material fails the trust manager will be replaced with an instance that trusts all certificates. This could allow any node using any certificate to join a cluster. The proper behavior in this instance is for the TLS trust manager to deny all certificates. Se ha encontrado un error en el administrador de confianza X-Pack Security TLS en las versiones de la 5.0.0 a la 5.5.1. • https://www.elastic.co/community/security • CWE-295: Improper Certificate Validation •