{"id":"CVE-2024-11390","details":"Unrestricted upload of a file with dangerous type in Kibana can lead to arbitrary JavaScript execution in a victim’s browser (XSS) via crafted HTML and JavaScript files.\n\nThe attacker must have access to the Synthetics app AND/OR have access to write to the synthetics indices.","aliases":["BIT-elk-2024-11390","BIT-kibana-2024-11390"],"modified":"2026-04-10T05:08:16.770012Z","published":"2025-05-01T14:15:34.913Z","references":[{"type":"FIX","url":"https://discuss.elastic.co/t/kibana-7-17-24-and-8-12-0-security-update-esa-2024-20/377712"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/elastic/kibana","events":[{"introduced":"d2647b053b769d4517fbb14ce37765808a1b6e0c"},{"fixed":"4fb3ec3c959e4c569aca4674243a2ecba9d973a7"},{"introduced":"1922ab0b6f8dc2906ef10f3fb65fc4d0e0076f90"},{"fixed":"e9092c0a17923f4ed984456b8a5db619b0a794b3"}],"database_specific":{"versions":[{"introduced":"7.17.6"},{"fixed":"7.17.24"},{"introduced":"8.4.0"},{"fixed":"8.12.0"}]}}],"versions":["v7.17.10","v7.17.11","v7.17.12","v7.17.13","v7.17.14","v7.17.15","v7.17.16","v7.17.17","v7.17.18","v7.17.19","v7.17.20","v7.17.21","v7.17.22","v7.17.23","v7.17.6","v7.17.7","v7.17.8","v7.17.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-11390.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}