CVE-2024-11390

Опубликовано: 01 мая 2025

Источник: nvd

CVSS3: 5.4

EPSS Низкий

Описание

Unrestricted upload of a file with dangerous type in Kibana can lead to arbitrary JavaScript execution in a victim’s browser (XSS) via crafted HTML and JavaScript files.

The attacker must have access to the Synthetics app AND/OR have access to write to the synthetics indices.

Ссылки

https://discuss.elastic.co/t/kibana-7-17-24-and-8-12-0-security-update-esa-2024-20/377712
Patch
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*

Версия от 7.17.6 (включая) до 7.17.24 (исключая)

cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*

Версия от 8.4.0 (включая) до 8.12.0 (исключая)

EPSS

Процентиль: 25%

0.00087

Низкий

5.4 Medium

CVSS3

Дефекты

CWE-434

Связанные уязвимости

CVE-2024-11390

CVSS3: 5.4

debian

9 месяцев назад

Unrestricted upload of a file with dangerous type in Kibana can lead t ...

GHSA-mv8v-9jrg-2c2w

CVSS3: 5.4

github

9 месяцев назад

Unrestricted upload of a file with dangerous type in Kibana can lead to arbitrary JavaScript execution in a victim’s browser (XSS) via crafted HTML and JavaScript files. The attacker must have access to the Synthetics app AND/OR have access to write to the synthetics indices.

EPSS

Процентиль: 25%

0.00087

Низкий

5.4 Medium

CVSS3

Дефекты

CWE-434