Elastic Stack 7.7.1 and 6.8.10 Security Update

Kibana cross site scripting (XSS) issue (ESA-2020-08)

The TSVB visualization in Kibana contains a stored XSS flaw. An attacker who is able to edit or create a TSVB visualization could allow the attacker to obtain sensitive information from, or perform destructive actions, on behalf of Kibana users who edit the TSVB visualization.

Affected Versions
All versions of Kibana after 5.4.0 are affected by this flaw

Solutions and Mitigations
Users should upgrade to Kibana version 7.7.1 or 6.8.10. Users unable to upgrade can disable TSVB by setting "metrics.enabled: false" in the kibana.yml file.

CVSSv3: 6.7 - AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L
CVE ID: CVE-2020-7015