[[{“value”:”
A significant security vulnerability in the Splunk Enterprise platform could allow low-privileged attackers to execute unauthorized JavaScript code through a reflected Cross-Site Scripting (XSS) flaw.
The vulnerability, tracked as CVE-2025-20297, affects multiple versions of Splunk Enterprise and Splunk Cloud Platform, prompting the company to issue immediate security updates.
The reflected XSS vulnerability resides within Splunk Enterprise’s dashboard PDF generation component, specifically targeting the pdfgen/render REST endpoint.
Splunk Enterprise XSS Vulnerability
This security flaw enables attackers with minimal system privileges to craft malicious payloads that can execute arbitrary JavaScript code in victim browsers.
The vulnerability is classified under CWE-79 (Cross-Site Scripting) and has been assigned a CVSSv3.1 score of 4.3, indicating a medium-severity risk level.
The attack vector is particularly concerning because it requires only low-level user privileges, excluding those with “admin” or “power” Splunk roles.
This means that standard users with limited access can potentially exploit the vulnerability to compromise other users’ sessions.
The CVSSv3.1 vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N indicates that the attack can be executed remotely with low complexity, requiring low privileges but no user interaction.
| Risk Factors | Details |
| Affected Products | Splunk Enterprise, all releases below 9.4.2, 9.3.4, and 9.2.6Splunk Web component in Enterprise versions 9.4.1, 9.3.0 through 9.3.3, and 9.2.0 through 9.2.5 |
| Impact | Execution of unauthorized JavaScript |
| Exploit Prerequisites | Low-privileged user (non-admin/power), Authenticated access to Splunk Web |
| CVSS 3.1 Score | 4.3 (Medium) |
The vulnerability impacts a broad range of Splunk products across multiple version branches.
For Splunk Enterprise, affected versions include all releases below 9.4.2, 9.3.4, and 9.2.6. Specifically, the Splunk Web component in Enterprise versions 9.4.1, 9.3.0 through 9.3.3, and 9.2.0 through 9.2.5 contains the vulnerability.
Notably, Splunk Enterprise 9.1 versions remain unaffected by this security issue. Splunk Cloud Platform users are similarly impacted, with vulnerable versions including those below 9.3.2411.102, 9.3.2408.111, and 9.2.2406.118.
The vulnerability specifically affects instances with Splunk Web enabled, as this component handles the PDF generation functionality where the XSS flaw exists. The bug was discovered by Klevis Luli from Splunk’s security team.
Mitigation Strategies
Splunk strongly recommends immediate upgrading to patched versions to address this vulnerability. For Enterprise users, the recommended fix versions are 9.4.2, 9.3.4, 9.2.6, or higher.
The company is actively monitoring and automatically patching affected Splunk Cloud Platform instances to ensure customer security.
As an interim workaround, organizations can disable Splunk Web functionality entirely, effectively eliminating the attack vector since the vulnerability specifically targets the web interface’s PDF generation component.
This mitigation can be implemented through the web.conf configuration file, though it may significantly impact user experience and dashboard functionality.
Security teams should prioritize this update given the potential for session hijacking and unauthorized code execution. While the vulnerability requires authenticated access, the low privilege requirements make it accessible to a broader range of potential attackers.
Organizations should also review their user privilege assignments and consider implementing additional monitoring around the pdfgen/render endpoint until patches are fully deployed across their Splunk infrastructure.
Live Credential Theft Attack Unmask & Instant Defense – Free Webinar
The post Splunk Enterprise XSS Vulnerability Let Attackers Execute Unauthorized JavaScript Code appeared first on Cyber Security News.
“}]]
Read More Cyber Security News