Summary
Kibana versions up to and including 4.3.0, 4.2.1, and 4.1.3 are vulnerable to a cross-site scripting (XSS) attack. The attack allows execution of arbitrary JavaScript in the context of the user’s browser.
We have requested a CVE number and will update our forum post and website when the number has been assigned.
Thanks to Vladimir Ivanov (Positive Technologies) for finding and responsibly reporting the issue.
Fixed Versions
Versions 4.3.1, 4.2.2, and 4.1.4 have addressed the vulnerability.
Remediation
Users should upgrade Kibana to 4.3.1, 4.2.2, or 4.1.4. This will address the vulnerability.
Found customers are being updated automatically.