| Severity |
|
| Remote |
|
| Type |
| - |
Unknown |
| + |
Cross-site scripting |
|
| Description |
| + |
The Kibana “Vega” visualization type is susceptible to both stored and reflected cross-site scripting (XSS) via a vulnerable version of the Vega library. Users who can create these visualizations or craft a vulnerable URL describing this visualization can execute arbitrary JavaScript in the victim’s browser. The issue is fixed in Kibana versions 7.10.2 and 6.8.14. |
|
| References |
| + |
https://discuss.elastic.co/t/elastic-stack-7-11-0-and-6-8-14-security-update/263915 |
|
| Notes |
| + |
Workaround |
| + |
========== |
| + |
|
| + |
The issue can be mitigated by disabling Vega visualizations by setting ‘vega.enabled: false’ in the kibana.yml file. |
|