Vulnerabilities > Elastic > Kibana

DATE CVE VULNERABILITY TITLE RISK
2022-03-03 CVE-2022-23709 Missing Authorization vulnerability in Elastic Kibana
A flaw was discovered in Kibana in which users with Read access to the Uptime feature could modify alerting rules.
network
low complexity
elastic CWE-862
4.3
2022-03-03 CVE-2022-23710 Cross-site Scripting vulnerability in Elastic Kibana
A cross-site-scripting (XSS) vulnerability was discovered in the Data Preview Pane (previously known as Index Pattern Preview Pane) which could allow arbitrary JavaScript to be executed in a victim’s browser.
network
low complexity
elastic CWE-79
6.1
2022-02-11 CVE-2022-23707 Cross-site Scripting vulnerability in Elastic Kibana
An XSS vulnerability was found in Kibana index patterns.
network
low complexity
elastic CWE-79
5.4
2021-11-18 CVE-2021-37938 Path Traversal vulnerability in Elastic Kibana
It was discovered that on Windows operating systems specifically, Kibana was not validating a user supplied path, which would load .pbf files.
network
low complexity
elastic CWE-22
4.3
2021-11-18 CVE-2021-37939 Cleartext Transmission of Sensitive Information vulnerability in Elastic Kibana
It was discovered that Kibana’s JIRA connector & IBM Resilient connector could be used to return HTTP response data on internal hosts, which may be intentionally hidden from public view.
network
low complexity
elastic CWE-319
2.7
2021-06-02 CVE-2020-10743 It was discovered that OpenShift Container Platform's (OCP) distribution of Kibana could open in an iframe, which made it possible to intercept and manipulate requests.
network
low complexity
elastic redhat
4.3
2021-05-13 CVE-2021-22136 Insufficient Session Expiration vulnerability in Elastic Kibana
In Kibana versions before 7.12.0 and 6.8.15 a flaw in the session timeout was discovered where the xpack.security.session.idleTimeout setting is not being respected.
low complexity
elastic CWE-613
3.5
2021-05-13 CVE-2021-22139 Resource Exhaustion vulnerability in Elastic Kibana
Kibana versions before 7.12.1 contain a denial of service vulnerability was found in the webhook actions due to a lack of timeout or a limit on the request size.
network
low complexity
elastic CWE-400
6.5
2020-12-02 CVE-2020-27816 Open Redirect vulnerability in multiple products
The elasticsearch-operator does not validate the namespace where kibana logging resource is created and due to that it is possible to replace the original openshift-logging console link (kibana console) to different one, created based on the new CR for the new kibana resource.
network
low complexity
elastic redhat CWE-601
6.1
2020-06-03 CVE-2020-7015 Cross-site Scripting vulnerability in Elastic Kibana
Kibana versions before 6.8.9 and 7.7.0 contains a stored XSS flaw in the TSVB visualization.
network
low complexity
elastic CWE-79
5.4