CVE-2021-37936: XSS
First published: Fri Nov 18 2022(Updated: )
It was discovered that Kibana was not sanitizing document fields containing HTML snippets. Using this vulnerability, an attacker with the ability to write documents to an elasticsearch index could inject HTML. When the Discover app highlighted a search term containing the HTML, it would be rendered for the user.
Credit: bressers@elastic.co
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Elastic Kibana | <7.14.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2021-37936?
CVE-2021-37936 is a vulnerability found in Kibana that allows an attacker to inject HTML into an elasticsearch index.
How does CVE-2021-37936 work?
CVE-2021-37936 occurs when Kibana does not properly sanitize document fields containing HTML snippets, allowing the injection of malicious HTML.
What is the severity of CVE-2021-37936?
The severity of CVE-2021-37936 is medium, with a CVSS score of 5.4.
How can an attacker exploit CVE-2021-37936?
An attacker with the ability to write documents to an elasticsearch index can exploit CVE-2021-37936 by injecting malicious HTML into the document fields.
Is there a fix for CVE-2021-37936?
Yes, there is a fix available for CVE-2021-37936. It is recommended to update to version 7.14.2 or later of Elastic Kibana.
- collector/nvd-index
- agent/severity
- agent/weakness
- agent/references
- agent/author
- agent/description
- agent/tags
- agent/type
- agent/event
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- vendor/elastic
- canonical/elastic kibana