Kibana Cross-Site Scripting Vulnerability - Unencoded Character in JSON Response

We have on-prime installation of kibana-8.14.0, It is being analyzed by the vulnerability detection tool Qualys, tool is reporting JSON response of following API as vulnerable to Cross-Site-Scripting

Kibana API call made by Qualys tool to find vulnerability:

GET https://my-kibana/api/exception_lists/items?<script>alert(45)</script>

Response from the API:

content-type: application/json

{
  "statusCode":400,
  "error":"Bad Request",
  "message": "[request query] : Invalid keys <script>alert(45)</script>"
}

Tool is reporting XSS vulnerability (Unencoded character) in the ‘message’ property of the API JSON response mentioned above.

Team is asking us to fix this by encoding the response content for html.

1. Is there any way Kibana API response content is html-encoded and safe to render on the client/UI side to prevent XSS
2. OR Kibana frontend take care of encoding response content to be safe for html before it renders in the UI and this is not a valid vulnerability finding?

Hello and welcome,

Kibana 8.14 was released almost 2 years ago, there were multiple improvments and security fixes, the last version is 8.19.11.

You need to upgrade your stack, both Elasticsearch and Kibana, to the 8.19.11 and then check if this issue is still present.

Do you have the CVE being reported by Qualys? If so you may search the forum for this CVE to see if it was already fixed.