Cross-Site Request Forgery (CSRF)

Kibana is vulnerable to Cross-Site Request Forgery. There is no restriction in graphite.url configuration. Thus, an attacker with administrative Kibana access could set the timelion:graphite.url configuration option to an arbitrary URL, possibly leading to an attacker accessing external URL resources as the Kibana process on the host system.