XSS Vulnerability in X-Pack Machine Learning by Elastic
CVE-2018-3824

6.1MEDIUM

Key Information:

Vendor
Elastic
Vendor
CVE Published:
19 September 2018

Summary

X-Pack Machine Learning prior to versions 6.2.4 and 5.6.9 is susceptible to a cross-site scripting vulnerability. Attackers can exploit this flaw by injecting malicious data into an index running a machine learning job. When another user accesses the results of the job, the injected data can compromise the user's session, potentially allowing the attacker to access sensitive information or execute actions impersonating the user.

Affected Version(s)

Elasticsearch X-Pack Machine Learning before 6.2.4 and 5.6.9

References

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.