Elastic App Search versions before 7.7.0 contain a cross site scripting (XSS) flaw when displaying document URLs in the Reference UI. If the Reference UI injects a URL into a result, that URL will be rendered by the web browser. If an attacker is able to control the contents of such a field, they could execute arbitrary JavaScript in the victimΓ―ΒΏΒ½s web browser.
CPE | Name | Operator | Version |
---|---|---|---|
elastic_app_search | lt | 7.7.0 |