QwikSec

Security Database

CVE

CWE

Training

CVE-2021-37936

Published: Nov 18, 2022

Modified: Apr 29, 2025

PUBLISHED

Description

It was discovered that Kibana was not sanitizing document fields containing HTML snippets. Using this vulnerability, an attacker with the ability to write documents to an elasticsearch index could inject HTML. When the Discover app highlighted a search term containing the HTML, it would be rendered for the user.

Vendor	Product	Versions
Elastic	Kibana	affected `versions before 7.14.1`

Weaknesses (CWE)

References

https://www.elastic.co/community/security/

https://discuss.elastic.co/t/elastic-stack-7-14-1-security-update/283077

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.