CVE-2021-37936

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2021-37936

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-37936.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2021-37936

Published

2022-11-18T23:15:19.060Z

Modified

2026-02-11T08:19:35.638147Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

It was discovered that Kibana was not sanitizing document fields containing HTML snippets. Using this vulnerability, an attacker with the ability to write documents to an elasticsearch index could inject HTML. When the Discover app highlighted a search term containing the HTML, it would be rendered for the user.

References

Affected packages

Git / github.com/elastic/kibana

Affected ranges

Type: GIT
Repo: https://github.com/elastic/kibana
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

196ec3974d4c725a3d937725419e5ed7d8fdb104

Affected versions

7.*

7.0-known-good

v4.*

v4.0.0

v4.0.0-beta1

v4.0.0-beta1.1

v4.0.0-beta2

v4.0.0-beta3

v4.0.0BETA1

v4.1.0

v4.2.0-beta1

v5.*

v5.0.0-alpha5

v6.*

v6.0.0-alpha1

v6.0.0-alpha2

v7.*

v7.0.0-alpha1

v7.0.0-alpha2

v7.14.0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-37936.json"