CVE-2021-37936 Vulnerability Details

  /     /     /  

CVE-2021-37936 Metadata Quick Info

CVE Published: 18/11/2022 | CVE Updated: 04/08/2024 | CVE Year: 2021
Source: elastic | Vendor: Elastic | Product: Kibana
Status : PUBLISHED

---

CVE-2021-37936 Description

It was discovered that Kibana was not sanitizing document fields containing HTML snippets. Using this vulnerability, an attacker with the ability to write documents to an elasticsearch index could inject HTML. When the Discover app highlighted a search term containing the HTML, it would be rendered for the user.

Metrics

CVSS Version: 3.1 | Base Score: n/a
Vector: n/a

l➤ Exploitability Metrics:
    Attack Vector (AV)*
    Attack Complexity (AC)*
    Privileges Required (PR)*
    User Interaction (UI)*
    Scope (S)*

l➤ Impact Metrics:
    Confidentiality Impact (C)*
    Integrity Impact (I)*
    Availability Impact (A)*

Weakness Enumeration (CWE)

CWE-ID: CWE-79
CWE Name: CWE-79: Improper Neutralization of Input During Web Page Generation
Source: Elastic

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID:
CAPEC Description:


Source: NVD (National Vulnerability Database).