Описание
Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an unauthenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a vulnerability a function handler in the Vega AST evaluator.
A flaw was found in Kibana. An unauthenticated user can embed a malicious script in web page content through improper input neutralization during web page generation. This cross-site scripting (XSS) vulnerability, specifically in a function handler within the Vega AST evaluator, allows for the execution of arbitrary scripts in a victim's browser, potentially leading to information disclosure or unauthorized actions.
Отчет
This vulnerability is rated Moderate for Red Hat because it is a cross-site scripting (XSS) flaw in Kibana's Vega AST evaluator that requires user interaction for exploitation. An unauthenticated attacker can embed malicious scripts in web page content, which would then execute in a victim's browser when they view the crafted content. This affects components like openshift-logging/kibana6-rhel8 in OpenShift Container Platform.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Logging Subsystem for Red Hat OpenShift | openshift-logging/kibana6-rhel8 | Fix deferred |
Показывать по
Дополнительная информация
Статус:
6.1 Medium
CVSS3
Связанные уязвимости
Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an unauthenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a vulnerability a function handler in the Vega AST evaluator.
Improper neutralization of input during web page generation ('Cross-si ...
Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an unauthenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a vulnerability a function handler in the Vega AST evaluator.
6.1 Medium
CVSS3