Kibana versions before 4.1.3 and 4.2.1 are vulnerable to a XSS attack.
elastic kibana
elastic kibana 4.2.0