CVEs-PoC/2020/CVE-2020-7011.md

### [CVE-2020-7011](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7011)
![](https://img.shields.io/static/v1?label=Product&message=Elastic%20App%20Search&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-84%3A%20Improper%20Neutralization%20of%20Encoded%20URI%20Schemes%20in%20a%20Web%20Page&color=brighgreen)

### Description

Elastic App Search versions before 7.7.0 contain a cross site scripting (XSS) flaw when displaying document URLs in the Reference UI. If the Reference UI injects a URL into a result, that URL will be rendered by the web browser. If an attacker is able to control the contents of such a field, they could execute arbitrary JavaScript in the victim�s web browser.

### POC

#### Reference
- https://www.elastic.co/community/security/

#### Github
No PoCs found on GitHub currently.