Kibana is vulnerable to Cross-Site Request Forgery. There is no restriction in graphite.url
configuration. Thus, an attacker with administrative Kibana access could set the timelion:graphite.url
configuration option to an arbitrary URL, possibly leading to an attacker accessing external URL resources as the Kibana process on the host system.