Kibana 7.17.24 and 8.12.0 Security Update (ESA-2024-20)

ismisepaul · May 1, 2025, 11:34am

Kibana Unrestricted Upload of File with Dangerous Type Can Lead to XSS (ESA-2024-20)

Unrestricted upload of a file with dangerous type in Kibana can lead to arbitrary JavaScript execution in a victim’s browser (XSS) via crafted HTML and JavaScript files.

The attacker must have access to the Synthetics app AND/OR have access to write to the synthetics indices.

Affected Versions:
7.17.6 up to and including 7.17.23 and 8.4.0 up to and including 8.11.4

Solutions and Mitigations:
The issue is resolved in Kibana 7.17.24 and 8.12.0

Severity: CVSSv3: 5.4 (Medium) - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVE ID: CVE-2024-11390

Topic		Replies	Views
Kibana 7.17.19 and 8.13.0 Security Update (ESA-2024-47) Security Announcements	0	564	May 1, 2025
Kibana 4.x XSS -- CVE pending Security Announcements	1	5688	July 6, 2017
Kibana 7.17.0 Security Update Security Announcements	1	12914	November 4, 2022
Kibana 8.16.4 and 8.17.2 Security Update (ESA-2025-02) Security Announcements	0	1678	April 8, 2025
Elastic Stack 7.14.1 Security Update Security Announcements	1	14532	November 4, 2022

Kibana 7.17.24 and 8.12.0 Security Update (ESA-2024-20)

Related topics