Kibana XSS (ESA-2019-17)
Kibana versions before 6.8.6 and 7.5.1 contain a cross site scripting (XSS) flaw in the coordinate and region map visualizations. An attacker with the ability to create coordinate map visualizations could create a malicious visualization. If another Kibana user views that visualization or a dashboard containing the visualization it could execute JavaScript in the victim’s browser.
Please note that Kibana has Content Security Policy (CSP) enabled by default since versions 6.7.0 and 7.0.0. Most browsers supported by Kibana honor the CSP settings. CSP prevents attackers from executing arbitrary JavaScript using this flaw, however an attacker can still inject arbitrary HTML into the page. The ‘csp.strict: true’ can be set in kibana.yml to disallow browsers that do not enforce CSP rules.
Thanks to Eran Vaknin and Rotem Reiss, Security Researchers, for reporting this issue.
Affected Versions
Kibana versions before 7.5.1 and 6.8.6
Solutions and Mitigations:
Users should upgrade to Elasticsearch version 7.5.1 or 6.8.6. Users who are unable to upgrade can set ‘xpack.maps.enabled: false’, ‘region_map.enabled: false’, and ‘tile_map.enabled: false’ in kibana.yml to disable map visualizations.
CVSSv3: 7.3 - AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
CVE ID: CVE-2019-7621