CVE-2024-11390

Severity CVSS v4.0:
Pending analysis
Type:
CWE-434 Unrestricted Upload of File with Dangerous Type
Publication date:
01/05/2025
Last modified:
01/10/2025

Description

Unrestricted upload of a file with dangerous type in Kibana can lead to arbitrary JavaScript execution in a victim’s browser (XSS) via crafted HTML and JavaScript files.<br /> <br /> The attacker must have access to the Synthetics app AND/OR have access to write to the synthetics indices.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:* 7.17.6 (including) 7.17.24 (excluding)
cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:* 8.4.0 (including) 8.12.0 (excluding)