Описание
Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a method in Vega bypassing a previous Vega XSS mitigation.
A flaw was found in Kibana. An authenticated user can exploit an improper neutralization of input during web page generation to embed malicious scripts. This vulnerability, which bypasses a previous Cross-site Scripting (XSS) mitigation in Vega, allows the scripts to be served to web browsers. The consequence is Cross-site Scripting (XSS), potentially leading to unauthorized actions or information disclosure.
Отчет
This vulnerability is rated Important for Red Hat OpenShift Container Platform because an authenticated user can exploit a Cross-site Scripting (XSS) flaw in Kibana's Vega component. This allows for embedding malicious scripts, potentially leading to unauthorized actions or information disclosure within the user's session.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Logging Subsystem for Red Hat OpenShift | openshift-logging/kibana6-rhel8 | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.2 High
CVSS3
Связанные уязвимости
Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a method in Vega bypassing a previous Vega XSS mitigation.
Improper neutralization of input during web page generation ('Cross-si ...
Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a method in Vega bypassing a previous Vega XSS mitigation.
EPSS
7.2 High
CVSS3