{"id":"CVE-2017-11481","details":"Kibana versions prior to 6.0.1 and 5.6.5 had a cross-site scripting (XSS) vulnerability via URL fields that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.","modified":"2026-04-11T15:15:31.697281Z","published":"2017-12-08T18:29:00.240Z","related":["SUSE-SU-2021:1962-1","SUSE-SU-2021:1963-1","SUSE-SU-2021:2554-1"],"references":[{"type":"ADVISORY","url":"https://discuss.elastic.co/t/kibana-6-0-1-and-5-6-5-security-update/110571"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/elastic/kibana","events":[{"introduced":"0"},{"last_affected":"12d17c6d111705f0c0c29fbab66eb22eda31dcdf"},{"last_affected":"d1e7b4cfb06c4d9156fb1e691853b36ff5801d57"},{"last_affected":"864b8719e2814b7667d5831c415a79026d78ea9f"},{"last_affected":"f363a8fe7aeeb6a535e0bb43b3b1916f26ab3732"},{"last_affected":"efd2403e605c9f695a87929083421ba09f3ac54e"},{"last_affected":"f8bc449f5a6b28d0597730b1cf03fefe7e33422e"},{"last_affected":"815b082799cc42b0a66d52689d901525b5e6f182"},{"last_affected":"b7f519704ae0d25f085e3278198e2abec1d9ef6e"},{"last_affected":"e5b6450423e5b179eb85810b997dd3fd0c8c7ddb"},{"last_affected":"3cb25ad0b62e8b085f4fabf2af7efca03124c1b9"},{"last_affected":"04485d7d34cc0e94f58146577892fb2c4a6e7f56"},{"last_affected":"0766ab238177e366236f3cdf34b19b6c5ffaf837"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"last_affected":"5.6.0"},{"last_affected":"5.6.1"},{"last_affected":"5.6.2"},{"last_affected":"5.6.3"},{"last_affected":"5.6.4"},{"last_affected":"6.0.0"},{"last_affected":"6.0.0-alpha1"},{"last_affected":"6.0.0-alpha2"},{"last_affected":"6.0.0-beta1"},{"last_affected":"6.0.0-beta2"},{"last_affected":"6.0.0-rc1"},{"last_affected":"6.0.0-rc2"}],"cpe":["cpe:2.3:a:elastic:kibana:5.6.0:*:*:*:*:*:*:*","cpe:2.3:a:elastic:kibana:5.6.1:*:*:*:*:*:*:*","cpe:2.3:a:elastic:kibana:5.6.2:*:*:*:*:*:*:*","cpe:2.3:a:elastic:kibana:5.6.3:*:*:*:*:*:*:*","cpe:2.3:a:elastic:kibana:5.6.4:*:*:*:*:*:*:*","cpe:2.3:a:elastic:kibana:6.0.0:*:*:*:*:*:*:*","cpe:2.3:a:elastic:kibana:6.0.0:alpha1:*:*:*:*:*:*","cpe:2.3:a:elastic:kibana:6.0.0:alpha2:*:*:*:*:*:*","cpe:2.3:a:elastic:kibana:6.0.0:beta1:*:*:*:*:*:*","cpe:2.3:a:elastic:kibana:6.0.0:beta2:*:*:*:*:*:*","cpe:2.3:a:elastic:kibana:6.0.0:rc1:*:*:*:*:*:*","cpe:2.3:a:elastic:kibana:6.0.0:rc2:*:*:*:*:*:*"],"source":"CPE_FIELD"}}],"versions":["v4.0.0-beta1","v4.0.0-beta1.1","v4.0.0-beta2","v4.0.0-beta3","v4.2.0-beta1","v5.0.0-alpha5","v5.6.0","v5.6.1","v5.6.2","v5.6.3","v5.6.4","v6.0.0","v6.0.0-alpha1","v6.0.0-alpha2","v6.0.0-beta1","v6.0.0-beta2","v6.0.0-rc1","v6.0.0-rc2"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-11481.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}