CVE-2024-11390

MEDIUM Year: 2024
CVSS v3 Score
5.4
Medium
Weakness Type
CWE-434
View all →

Vulnerability Description

Unrestricted upload of a file with dangerous type in Kibana can lead to arbitrary JavaScript execution in a victim’s browser (XSS) via crafted HTML and JavaScript files. The attacker must have access to the Synthetics app AND/OR have access to write to the synthetics indices.

Related Vulnerabilities

CVE-2016-2914

MEDIUM
CVSS:5.4(Medium)

Unrestricted file upload vulnerability in the Document Builder in IBM Rational Publishing Engine (aka RPENG) 2.0.1 before ifix002 allows remote authenticated users to execute arbitrary code by specify...

CWE-4342016

CVE-2019-19493

MEDIUM
CVSS:5.4(Medium)

Kentico before 12.0.50 allows file uploads in which the Content-Type header is inconsistent with the file extension, leading to XSS.

CWE-4342019

CVE-2019-6513

MEDIUM
CVSS:5.4(Medium)

An issue was discovered in WSO2 API Manager 2.6.0. It is possible for a logged-in user to upload, as API documentation, any type of file by changing the extension to an allowed one.

CWE-4342019

CVE-2020-26828

MEDIUM
CVSS:5.4(Medium)

SAP Disclosure Management, version - 10.1, provides capabilities for authorized users to upload and download content of specific file type. In some file types it is possible to enter formulas which ca...

CWE-4342020

CVE-2020-2730

MEDIUM
CVSS:5.4(Medium)

Vulnerability in the Oracle Financial Services Revenue Management and Billing product of Oracle Financial Services Applications (component: File Upload). Supported versions that are affected are 2.7.0...

CWE-4342020

CVE-2021-24960

MEDIUM
CVSS:5.4(Medium)

The WordPress File Upload WordPress plugin before 4.16.3, wordpress-file-upload-pro WordPress plugin before 4.16.3 allows users with a role as low as Contributor to configure the upload form in a way ...

CWE-4342021