CVE-2024-11390: 
Kibana vulnerability analysis and mitigation

CVE-2024-11390 is a security vulnerability discovered in Kibana that was disclosed on May 1, 2025. The vulnerability affects Kibana's file upload functionality in the Synthetics app, allowing unrestricted upload of files with dangerous types that can lead to arbitrary JavaScript execution in a victim's browser through cross-site scripting (XSS) attacks. The vulnerability requires the attacker to have access to the Synthetics app and/or have access to write to the synthetics indices (Wiz Database, NVD).

The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). It has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability specifically involves the ability to upload crafted HTML and JavaScript files that can be executed in a victim's browser when accessed (NVD, Wiz Database).

When exploited, this vulnerability can lead to arbitrary JavaScript execution in a victim's browser through cross-site scripting (XSS). This could potentially allow attackers to steal sensitive information, manipulate web content, or perform actions on behalf of the victim within the Kibana interface (Wiz Database).

Elastic has released security updates to address this vulnerability. Users should upgrade to the patched versions: Kibana 7.17.24 or 8.12.0 (Elastic Discussion).