XSS Vulnerability in X-Pack Machine Learning by Elastic
CVE-2018-3824
6.1MEDIUM
Key Information:
- Vendor
- Elastic
- Vendor
- CVE Published:
- 19 September 2018
Summary
X-Pack Machine Learning prior to versions 6.2.4 and 5.6.9 is susceptible to a cross-site scripting vulnerability. Attackers can exploit this flaw by injecting malicious data into an index running a machine learning job. When another user accesses the results of the job, the injected data can compromise the user's session, potentially allowing the attacker to access sensitive information or execute actions impersonating the user.
Affected Version(s)
Elasticsearch X-Pack Machine Learning before 6.2.4 and 5.6.9
References
CVSS V3.1
Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed
Timeline
Vulnerability published
Vulnerability Reserved