Cross-Site Scripting Vulnerability in X-Pack Machine Learning by Elastic
CVE-2018-3823
5.4MEDIUM
Key Information:
- Vendor
- Elastic
- Vendor
- CVE Published:
- 19 September 2018
Summary
X-Pack Machine Learning prior to versions 6.2.4 and 5.6.9 is susceptible to a Cross-Site Scripting vulnerability. This issue enables users with manage_ml permissions to craft jobs that include harmful data within their configurations. As a result, an attacker could exploit this vulnerability to gather sensitive information or execute destructive actions unknowingly on behalf of other users who view the job results. It is crucial for users of these affected versions to upgrade to protect against potential threats.
Affected Version(s)
Elasticsearch X-Pack Machine Learning before 6.2.4 and 5.6.9
References
CVSS V3.1
Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed
Timeline
Vulnerability published
Vulnerability Reserved