Kibana Stored Cross-Site-Scripting(XSS) (ESA-2025-17)
Improper Validation of Specified Type of Input in Kibana can lead to stored Cross-Site-Scripting (XSS)
Affected Versions:
- 7.x: All versions from 7.0.0 and up to and including 7.17.29
- 8.x: All versions from 8.0.0 and up to and including 8.18.7
- 8.19.x: All versions from 8.19.0 and up to and including 8.19.4
- 9.0.x: All versions from 9.0.0 and up to and including 9.0.7
- 9.1.x: All versions from 9.1.0 and up to and including 9.1.4
Affected Configurations:
A malicious user would need to have a role that includes All permissions under Management for Fleet and Integrations.
Solutions and Mitigations:
Users should upgrade to version 8.18.8 or 8.19.5 or 9.0.8 or 9.1.5.
Severity: CVSSv3.1: High (8.7) CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
CVE ID: CVE-2025-25018