CVE-2018-3823
MEDIUMX-Pack Machine Learning < 5.6.9 - Cross-Site Scripting via Job Configuration
Title source: llmDescription
X-Pack Machine Learning versions before 6.2.4 and 5.6.9 had a cross-site scripting (XSS) vulnerability. Users with manage_ml permissions could create jobs containing malicious data as part of their configuration that could allow the attacker to obtain sensitive information from or perform destructive actions on behalf of other ML users viewing the results of the jobs.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://discuss.elastic.co/t/elastic-stack-6-2-4-and-5-6-9-security-update/128422
Vendor Advisory x_refsource_confirm
https://www.elastic.co/community/security
Scores
CVSS v3
5.4
EPSS
0.0019
EPSS Percentile
41.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (3)
elastic/elasticsearch_x-pack
< 5.6.9
elastic/kibana_x-pack
< 5.6.9
elastic/logstash_x-pack
< 5.6.9
Published
Sep 19, 2018
Tracked Since
Feb 18, 2026