Kibana cross site scripting issue (ESA-2017-22)
Kibana versions prior to 6.0.1 and 5.6.5 had a cross-site scripting (XSS) vulnerability via URL fields that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
Affected Versions: All prior to 6.0.1 and 5.6.5
Solutions and Mitigations:
Users should upgrade to Kibana version 6.0.1 or 5.6.5. There are no known workarounds for this issue.
CVE ID: CVE-2017-11481
Kibana open redirect flaw (ESA-2017-23)
The Kibana fix for CVE-2017-8451 was found to be incomplete. With X-Pack installed, Kibana versions before 6.0.1 and 5.6.5 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website.
Affected Versions: All prior to 6.0.1 and 5.6.5
Solutions and Mitigations:
Users should upgrade to Kibana version 6.0.1 or 5.6.5. There are no known workarounds for this issue.
CVE ID: CVE-2017-11482