Kibana's api does not sanitize one of its method's parameters allowing for an attacker to specify any file of the target system, this file will be treated as a js and executed
CVE Link
Exploit Platform
Exploit Type
Product Name