Cross-Site Scripting Vulnerability in X-Pack Machine Learning by Elastic
CVE-2018-3823

5.4MEDIUM

Key Information:

Vendor
Elastic
Vendor
CVE Published:
19 September 2018

Summary

X-Pack Machine Learning prior to versions 6.2.4 and 5.6.9 is susceptible to a Cross-Site Scripting vulnerability. This issue enables users with manage_ml permissions to craft jobs that include harmful data within their configurations. As a result, an attacker could exploit this vulnerability to gather sensitive information or execute destructive actions unknowingly on behalf of other users who view the job results. It is crucial for users of these affected versions to upgrade to protect against potential threats.

Affected Version(s)

Elasticsearch X-Pack Machine Learning before 6.2.4 and 5.6.9

References

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.