Kibana 5.3.3edit

Security Fixesedit

Beginning in Kibana 5.3.0, the discovery app in Kibana is vulnerable to an cross-site scripting attack (XSS) that would allow an attacker to inject JavaScript into other user’s browsers via Elasticsearch documents. This was made possible by the field formatters plugin API and how it handled compiling of template values in the discover doc table. Versions 5.3.3 and 5.4.1 include a fix for this vulnerability by changing the binding and compilation behavior for field formatters. Thanks to Thomas Gøytil for reporting this issue.
X-Pack security[ESA-2017-08] (#11911)

Bug Fixesedit

  • Formatted output is now non-bindable #11911