CVE-2021-37936

It was discovered that Kibana was not sanitizing document fields containing HTML snippets. Using this vulnerability, an attacker with the ability to write documents to an elasticsearch index could inject HTML. When the Discover app highlighted a search term containing the HTML, it would be rendered for the user.
References
Configurations

Configuration 1 (hide)

cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2022-11-18 23:15

Updated : 2024-02-28 19:51


NVD link : CVE-2021-37936

Mitre link : CVE-2021-37936

CVE.ORG link : CVE-2021-37936


JSON object : View

Products Affected

elastic

  • kibana
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')