CVE-2020-26296 log
| Source |
|
| Severity | High |
| Remote | Yes |
| Type | Cross-site scripting |
| Description | The Kibana “Vega” visualization type is susceptible to both stored and reflected cross-site scripting (XSS) via a vulnerable version of the Vega library. Users who can create these visualizations or craft a vulnerable URL describing this visualization can execute arbitrary JavaScript in the victim’s browser. The issue is fixed in Kibana versions 7.10.2 and 6.8.14. |
| Group | Package | Affected | Fixed | Severity | Status | Ticket |
|---|---|---|---|---|---|---|
| AVG-2323 | kibana | 7.10.1-1 | 7.10.2-1 | High | Fixed | FS#70038 |
| References |
|---|
https://discuss.elastic.co/t/elastic-stack-7-11-0-and-6-8-14-security-update/263915 |
| Notes |
|---|
Workaround ========== The issue can be mitigated by disabling Vega visualizations by setting ‘vega.enabled: false’ in the kibana.yml file. |