WARNING: Version 5.4 of Kibana has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
5.3.3 Release Notes
edit5.3.3 Release Notes
editAlso see Breaking changes in 5.0.
Security fix
editBeginning in Kibana 5.3.0, the discovery app in Kibana is vulnerable to an
cross-site scripting attack (XSS) that would allow an attacker to inject
JavaScript into other user’s browsers via Elasticsearch documents. This was
made possible by the field formatters plugin API and how it handled
compiling of template values in the discover doc table.
Versions 5.3.3 and 5.4.1 include a fix for this vulnerability
by changing the binding and compilation behavior for field formatters.
Thanks to Thomas Gøytil for reporting this issue.
X-Pack security[ESA-2017-08] (#11911)
Bug fixes
edit- Core
-
- Formatted output is now non-bindable #11911