Severity
Medium
Analysis Summary
CVE-2025-37731 CVSS:6.8
Improper Authentication in Elasticsearch PKI realm can lead to user impersonation via specially crafted client certificates. A malicious actor would need to have such a crafted client certificate signed by a legitimate, trusted Certificate Authority.
CVE-2025-37732 CVSS:5.4
Improper neutralization of input during web page generation allows an authenticated user to render HTML tags within a user’s browser via the integration package upload functionality.
Impact
- Gain Access
- Cross-Site Scripting
Indicators of Compromise
CVE
CVE-2025-37731
CVE-2025-37732
Affected Vendors
- Elastic
Affected Products
- Elastic Kibana 7.0.0
- Elastic Kibana 8.0.0
- Elastic Kibana 9.0.0
- Elasticsearch 7.0.0
- Elasticsearch 8.0.0
- Elasticsearch 9.0.0
- Elasticsearch 9.2.0
- Elastic Kibana 9.2.0
Remediation
Refer to Elastic Security Advisory for patch, upgrade, or suggested workaround information.