Kibana versions prior to 4.1.3 and 4.2.1 are vulnerable to a XSS attack. References: https://www.elastic.co/community/security
Openshift 3.7 uses Kibana 4.6.4. Marking Openshift as not affected.