CVE-2020-7011
03.06.2020, 18:15
Elastic App Search versions before 7.7.0 contain a cross site scripting (XSS) flaw when displaying document URLs in the Reference UI. If the Reference UI injects a URL into a result, that URL will be rendered by the web browser. If an attacker is able to control the contents of such a field, they could execute arbitrary JavaScript in the victims web browser.
| Vendor | Product | Version |
|---|---|---|
| elastic | elastic_app_search | 𝑥 < 7.7.0 |
𝑥
= Vulnerable software versions
Ubuntu Releases
Common Weakness Enumeration
- CWE-84 - Improper Neutralization of Encoded URI Schemes in a Web PageThe web application improperly neutralizes user-controlled input for executable script disguised with URI encodings.
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.