CVSS: 8.0EPSS: 0%CPEs: 2EXPL: 0CVE-2018-3830 – kibana: Cross-site scripting via the source field formatter
https://notcve.org/view.php?id=CVE-2018-3830
19 Sep 2018 — Kibana versions 5.3.0 to 6.4.1 had a cross-site scripting (XSS) vulnerability via the source field formatter that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. Las versiones 5.3.0 a 6.4.1 de Kibana presentaban una vulnerabilidad Cross-Site Scripting (XSS) a través del formateador de los campos de origen que podrían permitir a un atacante obtener información sensible o realizar acciones destructivas en nombre de otros usuarios de ... • https://access.redhat.com/errata/RHSA-2018:3537 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2018-3819
https://notcve.org/view.php?id=CVE-2018-3819
30 Mar 2018 — The fix in Kibana for ESA-2017-23 was incomplete. With X-Pack security enabled, Kibana versions before 6.1.3 and 5.6.7 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website. La solución en Kibana para ESA-2017-23 era incompleta. Con la seguridad X-Pack habilitada, las versiones anteriores a la 6.1.2 y 5.6.7 de Kibana tienen una vulnerabilidad de redirección abierta en la página de inicio de sesión que permitiría que un atac... • https://discuss.elastic.co/t/elastic-stack-6-1-3-and-5-6-7-security-update/117683 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-3820
https://notcve.org/view.php?id=CVE-2018-3820
30 Mar 2018 — Kibana versions after 6.1.0 and before 6.1.3 had a cross-site scripting (XSS) vulnerability in labs visualizations that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. Las versiones posteriores a la 6.1.0 y anteriores a la 6.1.3 de Kibana presentan una vulnerabilidad Cross-Site Scripting (XSS) en las visualizaciones de los labs que podrían permitir a un atacante obtener información sensible o realizar acciones destructivas en nombr... • https://discuss.elastic.co/t/elastic-stack-6-1-3-and-5-6-7-security-update/117683 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-3818
https://notcve.org/view.php?id=CVE-2018-3818
30 Mar 2018 — Kibana versions 5.1.1 to 6.1.2 and 5.6.6 had a cross-site scripting (XSS) vulnerability via the colored fields formatter that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. Las versiones 5.1.1 a 6.1.2 y 5.6.6 de Kibana presentan una vulnerabilidad Cross-Site Scripting (XSS) a través del formateador de los campos de color que podrían permitir a un atacante obtener información sensible o realizar acciones destructivas en nombre de o... • http://www.securityfocus.com/bid/102734 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2018-3821
https://notcve.org/view.php?id=CVE-2018-3821
30 Mar 2018 — Kibana versions after 5.1.1 and before 5.6.7 and 6.1.3 had a cross-site scripting (XSS) vulnerability in the tag cloud visualization that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. Las versiones posteriores a la 5.1.1 y anteriores a la 5.6.7 y 6.1.3 de Kibana presentan una vulnerabilidad Cross-Site Scripting (XSS) en la visualización de la nube de etiquetas que podrían permitir a un atacante obtener información sensible o real... • https://discuss.elastic.co/t/elastic-stack-6-1-3-and-5-6-7-security-update/117683 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 12EXPL: 0CVE-2017-11481
https://notcve.org/view.php?id=CVE-2017-11481
08 Dec 2017 — Kibana versions prior to 6.0.1 and 5.6.5 had a cross-site scripting (XSS) vulnerability via URL fields that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. Las versiones anteriores a la 6.0.1 y 5.6.5 de Kibana presentan una vulnerabilidad de tipo Cross-Site Scripting (XSS) en campos URL que podrían permitir a un atacante obtener información sensible o realizar acciones destructivas en nombre de otros usuarios de Kibana. • https://discuss.elastic.co/t/kibana-6-0-1-and-5-6-5-security-update/110571 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 12EXPL: 0CVE-2017-11482
https://notcve.org/view.php?id=CVE-2017-11482
08 Dec 2017 — The Kibana fix for CVE-2017-8451 was found to be incomplete. With X-Pack installed, Kibana versions before 6.0.1 and 5.6.5 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website. Se ha descubierto que la corrección de Kibana para CVE-2017-8451 está incompleta. Con X-Pack instalado, las versiones anteriores a la 6.0.1 y 5.6.5 de Kibana tienen una vulnerabilidad de redirección abierta en la página de inicio de sesión que podrí... • https://discuss.elastic.co/t/kibana-6-0-1-and-5-6-5-security-update/110571 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.1EPSS: 0%CPEs: 22EXPL: 0CVE-2017-11479
https://notcve.org/view.php?id=CVE-2017-11479
28 Sep 2017 — Kibana versions prior to 5.6.1 had a cross-site scripting (XSS) vulnerability in Timelion that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. Las versiones anteriores a la 5.6.1 de Kibana presentan una vulnerabilidad de tipo Cross-Site Scripting (XSS) en Timelion que podría permitir a un atacante obtener información sensible o realizar acciones destructivas en nombre de otros usuarios de Kibana. • http://www.openwall.com/lists/oss-security/2019/10/24/1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-8443
https://notcve.org/view.php?id=CVE-2017-8443
30 Jun 2017 — In Kibana X-Pack security versions prior to 5.4.3 if a Kibana user opens a crafted Kibana URL the result could be a redirect to an improperly initialized Kibana login screen. If the user enters credentials on this screen, the credentials will appear in the URL bar. The credentials could then be viewed by untrusted parties or logged into the Kibana access logs. En Kibana X-Pack, en versiones de seguridad anteriores a la 5.4.3, si un usuario Kibana abre una URL Kibana manipulada, el resultado podría ser una r... • https://www.elastic.co/community/security • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-598: Use of GET Request Method With Sensitive Query Strings •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2016-10364
https://notcve.org/view.php?id=CVE-2016-10364
16 Jun 2017 — With X-Pack installed, Kibana versions 5.0.0 and 5.0.1 were not properly authenticating requests to advanced settings and the short URL service, any authenticated user could make requests to those services regardless of their own permissions. Con X-Pack instalado, Kibana en sus versiones 5.0.0 y 5.0.1 no autentifica debidamente las solicitudes a las configuraciones avanzadas y el servicio de URLs cortas, cualquier usuario autentificado podría realizar una solicitud a estos servicios sin considerar sus propi... • https://www.elastic.co/community/security • CWE-264: Permissions, Privileges, and Access Controls CWE-306: Missing Authentication for Critical Function •