CVE-2018-1000029 - Vulnerability Details - OpenCVE

mcholste Enterprise Log Search and Archive (ELSA) version revision 1205, commit 2cc17f1 and earlier contains a Cross Site Scripting (XSS) vulnerability in index view (/) that can result in . This attack appear to be exploitable via Payload delivered via the type, name, and value parameters of /Query/set_preference and the name and value parameters of /Query/preference. Payload executed when the user visits the index view (/).

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Elsa Project	Elsa

Configuration 1 [-]

cpe:2.3:a:elsa_project:elsa:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://blog.securityonion.net/2018/01/security-advisory-for-elsa.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2018-02-09T23:00:00

Updated: 2024-08-05T12:33:49.095Z

Reserved: 2018-01-29T00:00:00

Link: CVE-2018-1000029

Vulnrichment

No data.

NVD

Status : Modified

Published: 2018-02-09T23:29:00.980

Modified: 2024-11-21T03:39:28.013

Link: CVE-2018-1000029

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "dateAssigned": "2018-01-23T00:00:00", "datePublic": "2018-01-18T00:00:00", "descriptions": [{"lang": "en", "value": "mcholste Enterprise Log Search and Archive (ELSA) version revision 1205, commit 2cc17f1 and earlier contains a Cross Site Scripting (XSS) vulnerability in index view (/) that can result in . This attack appear to be exploitable via Payload delivered via the type, name, and value parameters of /Query/set_preference and the name and value parameters of /Query/preference. Payload executed when the user visits the index view (/)."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-02-09T22:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "http://blog.securityonion.net/2018/01/security-advisory-for-elsa.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "DATE_ASSIGNED": "1/23/2018 18:57:01", "ID": "CVE-2018-1000029", "REQUESTER": "medsgerj@gmail.com", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "mcholste Enterprise Log Search and Archive (ELSA) version revision 1205, commit 2cc17f1 and earlier contains a Cross Site Scripting (XSS) vulnerability in index view (/) that can result in . This attack appear to be exploitable via Payload delivered via the type, name, and value parameters of /Query/set_preference and the name and value parameters of /Query/preference. Payload executed when the user visits the index view (/)."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://blog.securityonion.net/2018/01/security-advisory-for-elsa.html", "refsource": "CONFIRM", "url": "http://blog.securityonion.net/2018/01/security-advisory-for-elsa.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T12:33:49.095Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://blog.securityonion.net/2018/01/security-advisory-for-elsa.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-1000029", "datePublished": "2018-02-09T23:00:00", "dateReserved": "2018-01-29T00:00:00", "dateUpdated": "2024-08-05T12:33:49.095Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:elsa_project:elsa:*:*:*:*:*:*:*:*", "matchCriteriaId": "134FD365-4F28-4436-A8E3-5AFFBD14E61C", "versionEndIncluding": "2cc17f1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "mcholste Enterprise Log Search and Archive (ELSA) version revision 1205, commit 2cc17f1 and earlier contains a Cross Site Scripting (XSS) vulnerability in index view (/) that can result in . This attack appear to be exploitable via Payload delivered via the type, name, and value parameters of /Query/set_preference and the name and value parameters of /Query/preference. Payload executed when the user visits the index view (/)."}, {"lang": "es", "value": "mcholste Enterprise Log Search and Archive (ELSA), en la versi\u00f3n revision 1205, commit con ID 2cc17f1 y anteriores, contiene una vulnerabilidad de Cross-Site Scripting (XSS) en index view (/). Este ataque parece ser explotable mediante una carga \u00fatil enviada mediante los par\u00e1metros type, name y value en /Query/set_preference y los par\u00e1metros name y value en /Query/preference. La carga \u00fatil se ejecuta cuando el usuario visita la vista index (/)."}], "id": "CVE-2018-1000029", "lastModified": "2024-11-21T03:39:28.013", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-02-09T23:29:00.980", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://blog.securityonion.net/2018/01/security-advisory-for-elsa.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://blog.securityonion.net/2018/01/security-advisory-for-elsa.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}