{"id":"CVE-2019-7621","details":"Kibana versions before 6.8.6 and 7.5.1 contain a cross site scripting (XSS) flaw in the coordinate and region map visualizations. An attacker with the ability to create coordinate map visualizations could create a malicious visualization. If another Kibana user views that visualization or a dashboard containing the visualization it could execute JavaScript in the victimï¿½s browser.","modified":"2026-07-08T16:08:31.572073Z","published":"2019-12-18T20:15:16.977Z","references":[{"type":"ADVISORY","url":"https://discuss.elastic.co/t/elastic-stack-6-8-6-and-7-5-1-security-update/212390"},{"type":"ADVISORY","url":"https://www.elastic.co/community/security/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/elastic/elasticsearch","events":[{"introduced":"0"},{"fixed":"3d9f765bcad28244dc4c8eb8e8b7ba97ba5408f1"},{"introduced":"b7e28a7232616c7a21bc879a535d801b8553ba77"},{"fixed":"3ae9ac9a93c95bd0cdc054951cf95d88e1e18d96"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"6.8.6"},{"introduced":"7.0.0"},{"fixed":"7.5.1"}],"source":"CPE_RANGE","cpe":"cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*"}}],"versions":["v7.5.0","v6.8.5","v6.8.4","v6.8.3","v6.8.2","v6.8.1","v6.8.0","v6.7.2","v6.7.1","v6.7.0","v7.0.0-alpha2","v7.0.0-alpha1","v6.0.0-alpha2","v6.0.0-alpha1","v1.0.0.RC1","v1.0.0.Beta2","v1.0.0.Beta1","v0.90.0","v0.90.0.RC2","v0.90.0.RC1","v0.90.0.Beta1","v0.20.0.RC1","v0.19.0","v0.19.0.RC3","v0.19.0.RC2","v0.19.0.RC1","v0.18.0","v0.17.0","v0.16.0","v0.15.0","v0.14.0","v0.13.0","v0.12.0","v0.11.0","v0.10.0","v0.9.0","v0.8.0","v0.7.1","v0.7.0","v0.6.0","v0.5.1","v0.5.0","v0.4.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-7621.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/elastic/kibana","events":[{"introduced":"0"},{"fixed":"a174acf677e77d280e3cbbbd8ffb6eca6db80846"},{"introduced":"ee89fda8a17eff9c93f7400c102edf76cb4d7d8a"},{"fixed":"6d05841a418cfec4a88f0afbee172bccd9f0cded"}],"database_specific":{"cpe":"cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"fixed":"6.8.6"},{"introduced":"7.0.0"},{"fixed":"7.5.1"}],"source":"CPE_RANGE"}}],"versions":["v7.5.0","v6.8.5","v6.8.4","v6.8.3","v6.8.2","v6.8.1","v6.8.0","v6.7.2","v6.7.1","v6.7.0","v7.0.0-alpha2","v7.0.0-alpha1","7.0-known-good","v6.0.0-alpha2","v6.0.0-alpha1","v5.0.0-alpha5","v4.2.0-beta1","v4.0.0-beta3","v4.0.0-beta2","v4.0.0-beta1.1","v4.0.0-beta1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-7621.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}