Moderate severityNVD Advisory· Published Mar 3, 2022· Updated Aug 3, 2024

CVE-2022-23710

Description

A cross-site-scripting (XSS) vulnerability was discovered in the Data Preview Pane (previously known as Index Pattern Preview Pane) which could allow arbitrary JavaScript to be executed in a victim’s browser.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A cross-site-scripting (XSS) vulnerability in Kibana's Data Preview Pane allows arbitrary JavaScript execution in a victim's browser.

Vulnerability

A cross-site-scripting (XSS) vulnerability exists in the Data Preview Pane (formerly Index Pattern Preview Pane) of Kibana. The flaw allows arbitrary JavaScript to be executed when a victim views crafted data in the pane. For self-managed deployments, the issue affects Kibana versions 7.15.0, 7.15.1, and 7.15.2. Elastic Cloud Services are also impacted, as noted in the advisory [1][2].

Exploitation

An attacker can inject malicious JavaScript into data that is later rendered in the Data Preview Pane. No special privileges are required beyond the ability to supply or modify data that appears in the pane. When a victim views the crafted data, the script executes in the context of their browser session, requiring user interaction (viewing the pane) [1][2].

Impact

Successful exploitation allows arbitrary JavaScript execution in the victim's browser, potentially leading to data theft, session hijacking, or other actions within the Kibana application at the victim's privilege level [1][2].

Mitigation

The vulnerability is fixed in Kibana versions 7.17.1, 8.0.1, and 8.1.0. Users should upgrade to these versions. No workaround is available. The issue is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [2].

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.elasticsearch:elasticsearchMaven	>= 7.16.0, < 7.17.1	7.17.1

Affected products

ghsa-coords
pkg:maven/org.elasticsearch/elasticsearch
Range: >= 7.16.0, < 7.17.1
Elastic/Kibanav5
Range: For self-managed deployments the issue impacts versions 7.15.0, 7.15.1, and 7.15.2 For Elastic Cloud Services the issue impacts versions 7.15.0 through 7.17.0, and 8.0.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-m6gg-86c6-gfr9ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-23710ghsaADVISORY
discuss.elastic.co/t/elastic-stack-7-17-1-security-update/298447ghsax_refsource_MISCWEB
security.netapp.com/advisory/ntap-20220325-0009ghsaWEB
security.netapp.com/advisory/ntap-20220325-0009/mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000