This is a technical writeup detailing a CSV injection vulnerability in Kibana 6.6.1, where an attacker can inject malicious payloads into the 'Custom Label' field of visualizations, leading to arbitrary command execution when the CSV is downloaded and opened by a user.
Classification
Writeup 90%
Target:
Kibana v6.6.1
No auth needed
Prerequisites:
Access to Kibana dashboard with edit privileges · User interaction to download and open the CSV file