SB2025121525 - Multiple vulnerabilities in Kibana

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Cross-site scripting (CVE-ID: CVE-2025-37732)

The disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data passed via the integration package upload functionality. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

2) Improper authorization (CVE-ID: CVE-2025-68386)

The vulnerability allows a remote user to bypass authorization checks.

The vulnerability exists due to improper authorization. A remote user can send a specially crafted HTTP request and change a document's sharing type to "global" without the necessary permissions. 

Remediation

Install update from vendor's website.

References

• https://discuss.elastic.co/t/kibana-8-19-8-9-1-8-and-9-2-2-security-update-esa-2025-28/384064
• https://discuss.elastic.co/t/kibana-8-19-8-9-1-8-and-9-2-2-security-update-esa-2025-38/384186