| blind Server-Side Request Forgery (SSRF) allows scanning internal ports |
Server-Side Request Forgery (SSRF) |
lu3ky-13 |
Medium |
2023-05-05 |
| Synthetics Recorder: Code injection when recording website with malicious content |
Code Injection |
dee-see |
High |
2023-04-08 |
| Default password on 34.120.209.175 |
Weak Cryptography for Passwords |
newspaper |
Medium |
2022-11-18 |
| CSRF in AppSearch allows creation of "curations" |
Cross-Site Request Forgery (CSRF) |
dee-see |
Medium |
2022-11-17 |
| Fix for CVE-2021-22151 (Kibana path traversal issue) can be bypassed on Windows |
Path Traversal |
dee-see |
Low |
2021-11-15 |
| CVE-2021-40870 on [52.204.160.31] |
Code Injection |
fdeleite |
Critical |
2021-10-06 |
| Critical || Unrestricted access to private Github repos and properties of Elastic through leaked token of Elastic employee |
Cleartext Storage of Sensitive Information |
prateek_0490 |
Critical |
2021-09-01 |
| Prototype Pollution leads to XSS on https://blog.swiftype.com/#__proto__[asd]=alert(document.domain) |
Cross-site Scripting (XSS) - DOM |
s1r1u5 |
High |
2021-08-16 |
| Improper authorization on `/api/as/v1/credentials/` for Dev Role User with Limited Engine Access |
Improper Access Control - Generic |
superman85 |
High |
2021-08-03 |
| [Swiftype] - Stored XSS via document field `url` triggers on `https://app.swiftype.com/engines/<engine>/document_types/<type>/documents/<id>` |
Cross-site Scripting (XSS) - Stored |
superman85 |
High |
2021-08-03 |
| Improper authorization on `/api/as/v1/credentials/` allows any App Search user to access all API keys and escalate privileges |
Improper Access Control - Generic |
dee-see |
High |
2021-06-02 |
| RCE hazard in reporting (via Chromium) |
Privilege Escalation |
alexbrasetvik |
Critical |
2021-05-26 |
| XXE in Enterprise Search's App Search web crawler |
XML External Entities (XXE) |
dee-see |
Critical |
2021-04-29 |
| Remote Code Execution in coming Kibana 7.7.0 |
Privilege Escalation |
alexbrasetvik |
Critical |
2021-04-19 |
| Over-Privileged API Credentials for Elastic Agent |
Violation of Secure Design Principles |
captaingeech |
Medium |
2021-03-29 |