CVE-2024-11390

Published: May 1, 2025Modified: Oct 1, 2025

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.3 / Impact: 2.7

Source: security@elastic.co (Secondary)

Description

Unrestricted upload of a file with dangerous type in Kibana can lead to arbitrary JavaScript execution in a victim’s browser (XSS) via crafted HTML and JavaScript files. The attacker must have access to the Synthetics app AND/OR have access to write to the synthetics indices.

Affected (2)

Products: Elastic: Kibana

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Elastic Kibana	From 7.17.6 to 7.17.24
Elastic Kibana	From 8.4.0 to 8.12.0

Related CWEs

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (1)

https://discuss.elastic.co/t/kibana-7-17-24-and-8-12-0-security-update-esa-2024-20/377712

Source: security@elastic.co

PatchVendor Advisory

Timeline

No history available yet.