Severity |
|
Remote |
|
Type |
- |
Unknown |
+ |
Cross-site scripting |
|
Description |
+ |
The Kibana “Vega” visualization type is susceptible to both stored and reflected cross-site scripting (XSS) via a vulnerable version of the Vega library. Users who can create these visualizations or craft a vulnerable URL describing this visualization can execute arbitrary JavaScript in the victim’s browser. The issue is fixed in Kibana versions 7.10.2 and 6.8.14. |
|
References |
+ |
https://discuss.elastic.co/t/elastic-stack-7-11-0-and-6-8-14-security-update/263915 |
|
Notes |
+ |
Workaround |
+ |
========== |
+ |
|
+ |
The issue can be mitigated by disabling Vega visualizations by setting ‘vega.enabled: false’ in the kibana.yml file. |
|