Kibana versions before 6.8.9 and 7.7.0 contains a stored XSS flaw in the TSVB visualization. An attacker who is able to edit or create a TSVB visualization could allow the attacker to obtain sensitive information from, or perform destructive actions, on behalf of Kibana users who edit the TSVB visualization.
To mitigate this vulnerability you can set "metrics.enabled: false" in kibana.yml
This issue has been addressed in the following products:
Red Hat OpenShift Container Platform 4.5
Via RHSA-2020:3578 https://access.redhat.com/errata/RHSA-2020:3578
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):