CSV Injection in Kibana 6.6.1 Upto Latest version 7.5.2
Dear reader, Few days before I was testing Kibana in my organization which is using kibana version 6.6.1, while testing I was able to find a csv injection in dashboard tab, there was No CVE or any other information about this specific vulnerability, So I have reported this issue to Kibana which will be fixed soon as a security hardening feature. Let's start with the POC of this vulnerability. Below are the steps to reproduce. 1. Large number of the Kibana portal on internet is open and has no authentication and can be exploited by this injection. 2. Click on Dashboard tab and select any dashboard from the list. I would suggest to select the dashboard which has gauge visualization type as shown in below screenshot. 3. Once you are on dashboard click on Edit button on top right . 4. Click gear(options) button of any graphical view box. 5. It will open a options box click on edit visualization 6. It will open the