WARNING: Version 5.6 of Kibana has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Beginning in Kibana 5.3.0, the discovery app in Kibana is vulnerable to an
cross-site scripting attack (XSS) that would allow an attacker to inject
made possible by the field formatters plugin API and how it handled
compiling of template values in the discover doc table.
Versions 5.3.3 and 5.4.1 include a fix for this vulnerability
by changing the binding and compilation behavior for field formatters.
Thanks to Thomas Gøytil for reporting this issue.
X-Pack security[ESA-2017-08] (#11911)
- Formatted output is now non-bindable #11911