Volerion logoVolerion
Volerion logoVolerion

OpenSearch Dashboards Reporting Cross-Site Scripting Vulnerability

Vulnerability

A stored cross-site scripting vulnerability has been identified in the OpenSearch Dashboards Reporting plugin, specifically in versions prior to 2.19.0.0. The issue arises because the plugin allows users to inject untrusted HTML, including JavaScript, into report headers and footers. This injected script is executed when the report is viewed, potentially leading to the theft of sensitive information, such as keystrokes or cookies.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the report.

Reproduction

To reproduce this vulnerability, create a report in OpenSearch Dashboards Reporting version 2.18.0.0 or earlier. Inject an iframe payload into the header or footer that points to a JavaScript keylogger hosted on a local server. Once the report is saved, the keylogger will be executed when the report is previewed.

Remediation

Users can upgrade to OpenSearch Dashboards Reporting version 2.19.0.0 or later, where this vulnerability has been fixed.

Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm
spread
4.5
impact
1.7
exploitability
6.0
remediation
7.7
relevance
0.0
threat
6.5
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.