CVE-2020-26296 log
Source |
|
Severity | High |
Remote | Yes |
Type | Cross-site scripting |
Description | The Kibana “Vega” visualization type is susceptible to both stored and reflected cross-site scripting (XSS) via a vulnerable version of the Vega library. Users who can create these visualizations or craft a vulnerable URL describing this visualization can execute arbitrary JavaScript in the victim’s browser. The issue is fixed in Kibana versions 7.10.2 and 6.8.14. |
Group | Package | Affected | Fixed | Severity | Status | Ticket |
---|---|---|---|---|---|---|
AVG-2323 | kibana | 7.10.1-1 | 7.10.2-1 | High | Fixed | FS#70038 |
References |
---|
https://discuss.elastic.co/t/elastic-stack-7-11-0-and-6-8-14-security-update/263915 |
Notes |
---|
Workaround ========== The issue can be mitigated by disabling Vega visualizations by setting ‘vega.enabled: false’ in the kibana.yml file. |