Main Vulnerability Database SB2019020627

SB2019020627 - Cross-site scripting in curl (Alpine package)

Published: February 6, 2019

Security Bulletin ID SB2019020627

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Cross-site scripting (CVE-ID: CVE-2018-3823)

The vulnerability allows a remote authenticated user to read and manipulate data.

X-Pack Machine Learning versions before 6.2.4 and 5.6.9 had a cross-site scripting (XSS) vulnerability. Users with manage_ml permissions could create jobs containing malicious data as part of their configuration that could allow the attacker to obtain sensitive information from or perform destructive actions on behalf of other ML users viewing the results of the jobs.

Remediation

Install update from vendor's website.

References

https://git.alpinelinux.org/aports/commit/?id=9a196002b469339f47b2d93361aced8256aa4dce
https://git.alpinelinux.org/aports/commit/?id=8cf4c8d1fc7898a590a8df46d139785baba40576