Affected versions: All versions up to and including 4.1.2 and 4.2.0.
The vulnerability is a cross-site request forgery (CSRF or XSRF) that could allow an attacker to read and write changes to the .kibana index or gain read and write access to Kibana plugin actions.
Remediation: All users should upgrade to Kibana 4.2.1 or 4.1.3.
While the attack vector can be lessened or eliminated with certain authentication setups, we urge all users to upgrade in any case.
CVSS Score: 6.1
We would like to thank Ruben van Vreeland for reporting the issue and working with us on the resolution.