CVE-2017-8440
MEDIUMKibana 5.3.0-5.3.3 and >=5.4.1 - Cross-Site Scripting in Discover Page
Title source: llmDescription
Starting in version 5.3.0, Kibana had a cross-site scripting (XSS) vulnerability in the Discover page that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
References (3)
Core 3
Core References
Release Notes, Vendor Advisory x_refsource_confirm
https://www.elastic.co/blog/kibana-5-4-1-and-5-3-3-released
Mitigation, Vendor Advisory x_refsource_confirm
https://discuss.elastic.co/t/elastic-stack-5-4-1-and-5-3-3-security-updates/87952
Vendor Advisory x_refsource_confirm
https://www.elastic.co/community/security
Scores
CVSS v3
6.1
EPSS
0.0034
EPSS Percentile
56.4%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (6)
elastic/kibana
5.3.0
elastic/kibana
5.3.1
elastic/kibana
5.3.2
elastic/kibana
5.4.0
Elastic/Kibana
5.3.0 to 5.3.3
Elastic/Kibana
5.4.1
Published
Jun 05, 2017
Tracked Since
Feb 18, 2026