CVE-2021-37936

EPSS 1.26%
Published 18.11.2022 23:15:19
Last modified 29.04.2025 15:15:46
Source bressers@elastic.co
Teams watchlist Login
Open Login

It was discovered that Kibana was not sanitizing document fields containing HTML snippets. Using this vulnerability, an attacker with the ability to write documents to an elasticsearch index could inject HTML. When the Discover app highlighted a search term containing the HTML, it would be rendered for the user.

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Elastic ≫ Kibana Version < 7.14.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	1.26%	0.787

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.4	2.3	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
134c704f-9b21-4f2e-91b3-4a467353bcc0	5.4	2.3	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://www.elastic.co/community/security/

Vendor Advisory

Mitigation

https://discuss.elastic.co/t/elastic-stack-7-14-1-security-update/283077

Vendor Advisory

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2021-37936

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-37936

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-37936

EUVD