Elasticsearch versions 1.3.x and prior have a default configuration for CORS that allows an attacker to craft links that could cause a user's browser to send requests to Elasticsearch instances on their local network. These requests could cause data loss or compromise.
0470832a32f532d43f5d3a0ee65181e2c78d893dc3b4564f92c67f9143488da5