CVE-2018-3823
Description
X-Pack Machine Learning before 6.2.4 and 5.6.9 has an XSS vulnerability where users with manage_ml permissions can inject malicious data into job configurations, affecting other ML users.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
X-Pack Machine Learning before 6.2.4 and 5.6.9 has an XSS vulnerability where users with manage_ml permissions can inject malicious data into job configurations, affecting other ML users.
Vulnerability
X-Pack Machine Learning versions before 6.2.4 and 5.6.9 contain a cross-site scripting (XSS) vulnerability. Users with the manage_ml permission can create jobs that include malicious data as part of their configuration. This malicious data is then rendered when other users view the job results, leading to XSS execution. All versions of X-Pack Machine Learning prior to the fixed releases are affected [2].
Exploitation
An attacker must have the manage_ml permission to create or modify a machine learning job. The attacker crafts a job configuration containing malicious JavaScript or HTML payloads. When another user with access to the ML results views the job's output, the payload executes in the context of that user's browser session. No additional user interaction beyond viewing the results is required [2].
Impact
Successful exploitation allows the attacker to obtain sensitive information from the victim's session or perform destructive actions on behalf of the victim, such as modifying data or executing privileged operations within the Elastic Stack. The attack operates within the victim's security context and permissions [2].
Mitigation
Users should upgrade to Elasticsearch version 6.2.4 or 5.6.9, which contain the fix for this vulnerability. No workarounds are documented. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<5.6.9, <6.2.4+ 1 more
- (no CPE)range: <5.6.9, <6.2.4
- (no CPE)range: before 6.2.4 and 5.6.9
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
2- discuss.elastic.co/t/elastic-stack-6-2-4-and-5-6-9-security-update/128422mitrex_refsource_CONFIRM
- www.elastic.co/community/securitymitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.