CVE-2021-37936Cross-site Scripting in Kibana

CWE-79Cross-site Scripting4 documents4 sources
Severity
5.4MEDIUMNVD
EPSS
0.6%
top 31.84%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Elastic Kibana
Timeline
PublishedNov 18
Latest updateNov 19

Description

It was discovered that Kibana was not sanitizing document fields containing HTML snippets. Using this vulnerability, an attacker with the ability to write documents to an elasticsearch index could inject HTML. When the Discover app highlighted a search term containing the HTML, it would be rendered for the user.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

NVDelastic/kibana< 7.14.1
CVEListV5elastic/kibanaversions before 7.14.1

🔴Vulnerability Details

2
GHSA
GHSA-p8x3-m7c8-mcj5: It was discovered that Kibana was not sanitizing document fields containing HTML snippets2022-11-19
CVEList
CVE-2021-37936: It was discovered that Kibana was not sanitizing document fields containing HTML snippets2022-11-18

📋Vendor Advisories

1
Red Hat
kibana: HTML injection issue (ESA-2021-23)2022-11-19
CVE-2021-37936 — Cross-site Scripting in Elastic Kibana | cvebase