CVE-2021-37936: 
Kibana vulnerability analysis and mitigation

A vulnerability was discovered in Kibana (CVE-2021-37936) where the application failed to properly sanitize document fields containing HTML snippets. The issue was identified in Kibana version 7.14.0 and was disclosed in September 2021. This vulnerability affects the Discover app functionality within Kibana (Elastic Advisory).

The vulnerability stems from improper sanitization of HTML content in document fields. When the Discover app highlights a search term containing unsanitized HTML, the content would be rendered for the user, leading to a potential Cross-Site Scripting (XSS) vulnerability. The issue has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, and is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

The vulnerability allows an attacker with the ability to write documents to an Elasticsearch index to inject HTML code. When a user accesses the affected document through the Discover app's search functionality, the injected HTML would be rendered in their browser, potentially leading to cross-site scripting attacks (Elastic Advisory).

Users can mitigate this vulnerability by either upgrading to Kibana version 7.14.1 or by setting 'doc_table:highlight' to 'false' in the Kibana Advanced Settings. The permanent solution is to upgrade to the fixed version 7.14.1 (Elastic Advisory).