FreeBSD : elasticsearch -- XSS vulnerability in the CORS functionality (5951fb49-1ba2-11e5-b43d-002590263bf5)
Medium Nessus Plugin ID 84412
The remote FreeBSD host is missing a security-related update.
Elastic reports : Vulnerability Summary: Elasticsearch versions 1.3.x and prior have a default configuration for CORS that allows an attacker to craft links that could cause a user's browser to send requests to Elasticsearch instances on their local network. These requests could cause data loss or compromise. Remediation Summary: Users should either set 'http.cors.enabled' to false, or set 'http.cors.allow-origin' to the value of the server that should be allowed access, such as localhost or a server hosting Kibana. Disabling CORS entirely with the former setting is more secure, but may not be suitable for all use cases.