Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-37936

It was discovered that Kibana was not sanitizing document fields containing HTML snippets. Using this vulnerability, an attacker with the ability to write documents to an elasticsearch index could inject HTML. When the Discover app highlighted a search term containing the HTML, it would be rendered for the user.

Published

2022-11-18T23:15:19.060

Last Modified

2025-04-29T15:15:46.710

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 5.4 (MEDIUM)

Weaknesses

Type: Secondary
CWE-79
Type: Primary
CWE-79

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	elastic	kibana	< 7.14.1	Yes

References

https://discuss.elastic.co/t/elastic-stack-7-14-1-security-update/283077 Mitigation, Vendor Advisory ([email protected])
https://www.elastic.co/community/security/ Mitigation, Vendor Advisory ([email protected])
https://discuss.elastic.co/t/elastic-stack-7-14-1-security-update/283077 Mitigation, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.elastic.co/community/security/ Mitigation, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)