CVE-2025-68385

Summary

Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a method in Vega bypassing a previous Vega XSS mitigation.

Affected Software

VendorProductVersion RangeStatus
ElasticKibana7.0.0 <= 7.17.29affected
ElasticKibana8.0.0 <= 8.19.8affected
ElasticKibana9.0.0 <= 9.1.8affected
ElasticKibana9.2.0 <= 9.2.2affected

Weaknesses

  • CWE-79: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References