by shigemk2


kibana 5.4.1

  • security fix
  • bugfix

The time series visual builder that was released in 5.4.0 is vulnerable to a cross-site scripting attack (XSS), where a malicious user could embed HTML into markdown documents that could result in JavaScript being executed in other users' browsers. This could be abused to steal sensitive information or to perform destructive actions on behalf of other users. 5.4.1 fixes this vulnerability by no longer allowing HTML in markdown documents. ESA-2017-07 (#11770)