CVE-2020-26296 log

Source
Severity High
Remote Yes
Type Cross-site scripting
Description
The Kibana “Vega” visualization type is susceptible to both stored and reflected cross-site scripting (XSS) via a vulnerable version of the Vega library. Users who can create these visualizations or craft a vulnerable URL describing this visualization can execute arbitrary JavaScript in the victim’s browser. The issue is fixed in Kibana versions 7.10.2 and 6.8.14.
Group Package Affected Fixed Severity Status Ticket
AVG-1570 kibana 7.10.1-1 High Vulnerable FS#70038
References
https://discuss.elastic.co/t/elastic-stack-7-11-0-and-6-8-14-security-update/263915
Notes
Workaround
==========

The issue can be mitigated by disabling Vega visualizations by setting ‘vega.enabled: false’ in the kibana.yml file.