CVE-2018-1000029

Name of the Vulnerable Software and Affected Versions: mcholste Enterprise Log Search and Archive (ELSA) version revision 1205, commit 2cc17f1 and earlier

Description: The issue is related to a Cross Site Scripting (XSS) vulnerability in the index view (/) that can be exploited via payload delivered through specific parameters. The vulnerable parameters include type, name, and value in the "/Query/set preference" endpoint, and name and value in the "/Query/preference" endpoint. The payload is executed when a user visits the index view (/).

Recommendations: For mcholste Enterprise Log Search and Archive (ELSA) version revision 1205, commit 2cc17f1 and earlier, consider restricting access to the "/Query/set preference" and "/Query/preference" endpoints to minimize the risk of exploitation. As a temporary workaround, avoid using the type, name, and value parameters in the "/Query/set preference" endpoint and the name and value parameters in the "/Query/preference" endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.