CVE-2021-37936

Published: Nov 18, 2022Modified: Apr 29, 2025

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.3 / Impact: 2.7

Source: NVD

Description

It was discovered that Kibana was not sanitizing document fields containing HTML snippets. Using this vulnerability, an attacker with the ability to write documents to an elasticsearch index could inject HTML. When the Discover app highlighted a search term containing the HTML, it would be rendered for the user.

Affected (1)

Products: Elastic: Kibana

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Elastic Kibana	Before 7.14.1

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (4)

https://discuss.elastic.co/t/elastic-stack-7-14-1-security-update/283077

Source: security@elastic.co

MitigationVendor Advisory

https://www.elastic.co/community/security/

Source: security@elastic.co

MitigationVendor Advisory

https://discuss.elastic.co/t/elastic-stack-7-14-1-security-update/283077

Source: af854a3a-2127-422b-91ae-364da2661108

MitigationVendor Advisory

https://www.elastic.co/community/security/

Source: af854a3a-2127-422b-91ae-364da2661108

MitigationVendor Advisory

Timeline

No history available yet.