cve/2018/CVE-2018-17246.md

### [CVE-2018-17246](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17246)
![](https://img.shields.io/static/v1?label=Product&message=Kibana&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-73%3A%20External%20Control%20of%20File%20Name%20or%20Path&color=brighgreen)

### Description

Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. An attacker with access to the Kibana Console API could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.

### POC

#### Reference
- https://www.elastic.co/community/security

#### Github
- https://github.com/0xT11/CVE-POC
- https://github.com/ARPSyndicate/cvemon
- https://github.com/ARPSyndicate/kenzer-templates
- https://github.com/Elsfa7-110/kenzer-templates
- https://github.com/Rinkish/HTB_Ippsec_Notes
- https://github.com/SexyBeast233/SecBooks
- https://github.com/Threekiii/Awesome-POC
- https://github.com/Threekiii/Vulhub-Reproduce
- https://github.com/babebbu/FIN_ACK_300-FinCyberSecTH2019-Hardening-WriteUp
- https://github.com/bakery312/Vulhub-Reproduce
- https://github.com/edisonrivera/HackTheBox
- https://github.com/jiangsir404/POC-S
- https://github.com/kh4sh3i/ElasticSearch-Pentesting
- https://github.com/mpgn/CVE-2018-17246
- https://github.com/woods-sega/woodswiki
- https://github.com/zhengjim/loophole
Update Sun May 26 14:27:04 CEST 2024 2024-05-26 14:27:05 +02:00			`### [CVE-2018-17246](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17246)`
			`![](https://img.shields.io/static/v1?label=Product&message=Kibana&color=blue)`
			`![](https://img.shields.io/static/v1?label=Version&message=n%2Fa&color=blue)`
			`![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-73%3A%20External%20Control%20of%20File%20Name%20or%20Path&color=brighgreen)`

			`### Description`

			`Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. An attacker with access to the Kibana Console API could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.`

			`### POC`

			`#### Reference`
			`- https://www.elastic.co/community/security`

			`#### Github`
			`- https://github.com/0xT11/CVE-POC`
			`- https://github.com/ARPSyndicate/cvemon`
			`- https://github.com/ARPSyndicate/kenzer-templates`
			`- https://github.com/Elsfa7-110/kenzer-templates`
			`- https://github.com/Rinkish/HTB_Ippsec_Notes`
			`- https://github.com/SexyBeast233/SecBooks`
			`- https://github.com/Threekiii/Awesome-POC`
			`- https://github.com/Threekiii/Vulhub-Reproduce`
			`- https://github.com/babebbu/FIN_ACK_300-FinCyberSecTH2019-Hardening-WriteUp`
			`- https://github.com/bakery312/Vulhub-Reproduce`
			`- https://github.com/edisonrivera/HackTheBox`
			`- https://github.com/jiangsir404/POC-S`
			`- https://github.com/kh4sh3i/ElasticSearch-Pentesting`
			`- https://github.com/mpgn/CVE-2018-17246`
			`- https://github.com/woods-sega/woodswiki`
			`- https://github.com/zhengjim/loophole`