Kibana prior to 4.5.4 and 4.1.11 are vulnerable to an XSS attack that would allow an malicious user to execute arbitrary JavaScript in users' browsers.
A cross-site scripting (XSS) flaw was found in Kibana A remote attacker could use this flaw to inject arbitrary web script into pages served to other users ...