cbcvebase.
CVE-2024-11390
published 2025-05-01

CVE-2024-11390: Unrestricted upload of a file with dangerous type in Kibana can lead to arbitrary JavaScript execution in a victim’s browser (XSS) via crafted HTML and…

PriorityP429medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.27%
18.5th percentile
Unrestricted upload of a file with dangerous type in Kibana can lead to arbitrary JavaScript execution in a victim’s browser (XSS) via crafted HTML and JavaScript files. The attacker must have access to the Synthetics app AND/OR have access to write to the synthetics indices.

Affected

4 ranges
VendorProductVersion rangeFixed in
elastickibana>= 7.17.6 < 7.17.237.17.23
elastickibana>= 7.17.6 < 7.17.247.17.24
elastickibana>= 8.4.0 < 8.11.48.11.4
elastickibana>= 8.4.0 < 8.12.08.12.0
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.