Elastic Kibana vulnerabilities

CVE-2016-1000220 [MEDIUM] CWE-79 CVE-2016-1000220: Kibana before 4.5.4 and 4.1.11 are vulnerable to an XSS attack that would allow an attacker to execu Kibana before 4.5.4 and 4.1.11 are vulnerable to an XSS attack that would allow an attacker to execute arbitrary JavaScript in users' browsers.

CVE-2016-10364 [MEDIUM] CWE-306 CVE-2016-10364: With X-Pack installed, Kibana versions 5.0.0 and 5.0.1 were not properly authenticating requests to With X-Pack installed, Kibana versions 5.0.0 and 5.0.1 were not properly authenticating requests to advanced settings and the short URL service, any authenticated user could make requests to those services regardless of their own permissions.

CVE-2016-10365 [MEDIUM] CWE-601 CVE-2016-10365: Kibana versions before 4.6.3 and 5.0.1 have an open redirect vulnerability that would enable an atta Kibana versions before 4.6.3 and 5.0.1 have an open redirect vulnerability that would enable an attacker to craft a link in the Kibana domain that redirects to an arbitrary website.

CVE-2015-9056 [MEDIUM] CWE-79 CVE-2015-9056: Kibana versions prior to 4.1.3 and 4.2.1 are vulnerable to a XSS attack. Kibana versions prior to 4.1.3 and 4.2.1 are vulnerable to a XSS attack.

CVE-2017-8440 [MEDIUM] CWE-79 CVE-2017-8440: Starting in version 5.3.0, Kibana had a cross-site scripting (XSS) vulnerability in the Discover pag Starting in version 5.3.0, Kibana had a cross-site scripting (XSS) vulnerability in the Discover page that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.

CVE-2017-8439 [MEDIUM] CWE-79 CVE-2017-8439: Kibana version 5.4.0 was affected by a Cross Site Scripting (XSS) bug in the Time Series Visual Buil Kibana version 5.4.0 was affected by a Cross Site Scripting (XSS) bug in the Time Series Visual Builder. This bug could allow an attacker to obtain sensitive information from Kibana users.

CVE-2015-8131 [MEDIUM] CWE-352 CVE-2015-8131: Cross-site request forgery (CSRF) vulnerability in Elasticsearch Kibana before 4.1.3 and 4.2.x befor Cross-site request forgery (CSRF) vulnerability in Elasticsearch Kibana before 4.1.3 and 4.2.x before 4.2.1 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

CVE-2015-4093 [MEDIUM] CWE-79 CVE-2015-4093: Cross-site scripting (XSS) vulnerability in Elasticsearch Kibana 4.x before 4.0.3 allows remote atta Cross-site scripting (XSS) vulnerability in Elasticsearch Kibana 4.x before 4.0.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.