CVE-2020-7011
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Elastic App Search versions before 7.7.0 contain a cross site scripting (XSS) flaw when displaying document URLs in the Reference UI. If the Reference UI injects a URL into a result, that URL will be rendered by the web browser. If an attacker is able to control the contents of such a field, they could execute arbitrary JavaScript in the victim�s web browser.
Elastic App Search versiones anteriores a 7.7.0, contienen un fallo de tipo cross site scripting (XSS) cuando se muestran las URL de los documentos en la Interfaz de Usuario Reference. Si la Interfaz de Usuario Reference inyecta una URL en un resultado, esa URL será representada por el navegador web. Si un atacante es capaz de controlar el contenido de dicho campo, podría ejecutar JavaScript arbitrario en el navegador web de la víctima.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-01-14 CVE Reserved
- 2020-06-03 CVE Published
- 2023-03-08 EPSS Updated
- 2024-08-04 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CWE-84: Improper Neutralization of Encoded URI Schemes in a Web Page
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://www.elastic.co/community/security | 2020-06-05 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Elastic Search vendor "Elastic" | Elastic App Search Search vendor "Elastic" for product "Elastic App Search" | < 7.7.0 Search vendor "Elastic" for product "Elastic App Search" and version " < 7.7.0" | - |
Affected
| ||||||