CVE-2021-37936
Severity Score
5.4
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
It was discovered that Kibana was not sanitizing document fields containing HTML snippets. Using this vulnerability, an attacker with the ability to write documents to an elasticsearch index could inject HTML. When the Discover app highlighted a search term containing the HTML, it would be rendered for the user.
Se descubrió que Kibana no estaba sanitizando los campos de documentos que contenían fragmentos de HTML. Utilizando esta vulnerabilidad, un atacante con la capacidad de escribir documentos en un índice de elasticsearch podría inyectar HTML. Cuando la aplicación Discover resaltaba un término de búsqueda que contenía HTML, se mostraba al usuario.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2021-08-03 CVE Reserved
- 2022-11-18 CVE Published
- 2024-06-10 EPSS Updated
- 2024-08-04 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (2)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://discuss.elastic.co/t/elastic-stack-7-14-1-security-update/283077 | 2022-11-22 | |
| https://www.elastic.co/community/security | 2022-11-22 |