CVE-2018-3824

MEDIUM

X-Pack Machine Learning < 5.6.9 - Cross-Site Scripting via Index Data Injection

Title source: llm

Description

X-Pack Machine Learning versions before 6.2.4 and 5.6.9 had a cross-site scripting (XSS) vulnerability. If an attacker is able to inject data into an index that has a ML job running against it, then when another user views the results of the ML job it could allow the attacker to obtain sensitive information from or perform destructive actions on behalf of that other ML user.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://discuss.elastic.co/t/elastic-stack-6-2-4-and-5-6-9-security-update/128422

Vendor Advisory x_refsource_confirm

https://www.elastic.co/community/security

Scores

CVSS v3 6.1

EPSS 0.0022

EPSS Percentile 44.1%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (4)

elastic/elasticsearch_x-pack < 5.6.9

elastic/kibana_x-pack < 5.6.9

elastic/logstash_x-pack < 5.6.9

org.elasticsearch/elasticsearch 0 - 5.6.9Maven

Published Sep 19, 2018

Tracked Since Feb 18, 2026