A big safety vulnerability within the Splunk Enterprise platform may permit low-privileged attackers to execute unauthorized JavaScript code by a mirrored Cross-Web site Scripting (XSS) flaw.
The vulnerability, tracked as CVE-2025-20297, impacts a number of variations of Splunk Enterprise and Splunk Cloud Platform, prompting the corporate to concern instant safety updates.
The mirrored XSS vulnerability resides inside Splunk Enterprise’s dashboard PDF era part, particularly focusing on the pdfgen/render REST endpoint.
Splunk Enterprise XSS Vulnerability
This safety flaw allows attackers with minimal system privileges to craft malicious payloads that may execute arbitrary JavaScript code in sufferer browsers.
The vulnerability is assessed underneath CWE-79 (Cross-Web site Scripting) and has been assigned a CVSSv3.1 rating of 4.3, indicating a medium-severity danger stage.
The assault vector is especially regarding as a result of it requires solely low-level consumer privileges, excluding these with “admin” or “energy” Splunk roles.
Which means that normal customers with restricted entry can probably exploit the vulnerability to compromise different customers’ classes.
The CVSSv3.1 vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N signifies that the assault may be executed remotely with low complexity, requiring low privileges however no consumer interplay.
Danger FactorsDetailsAffected ProductsSplunk Enterprise, all releases under 9.4.2, 9.3.4, and 9.2.6Splunk Internet part in Enterprise variations 9.4.1, 9.3.0 by 9.3.3, and 9.2.0 by 9.2.5ImpactExecution of unauthorized JavaScriptExploit PrerequisitesLow-privileged consumer (non-admin/energy), Authenticated entry to Splunk WebCVSS 3.1 Score4.3 (Medium)
The vulnerability impacts a broad vary of Splunk merchandise throughout a number of model branches.
For Splunk Enterprise, affected variations embody all releases under 9.4.2, 9.3.4, and 9.2.6. Particularly, the Splunk Internet part in Enterprise variations 9.4.1, 9.3.0 by 9.3.3, and 9.2.0 by 9.2.5 accommodates the vulnerability.
Notably, Splunk Enterprise 9.1 variations stay unaffected by this safety concern. Splunk Cloud Platform customers are equally impacted, with weak variations together with these under 9.3.2411.102, 9.3.2408.111, and 9.2.2406.118.
The vulnerability particularly impacts situations with Splunk Internet enabled, as this part handles the PDF era performance the place the XSS flaw exists. The bug was found by Klevis Luli from Splunk’s safety group.
Mitigation Methods
Splunk strongly recommends instant upgrading to patched variations to handle this vulnerability. For Enterprise customers, the really helpful repair variations are 9.4.2, 9.3.4, 9.2.6, or increased.
The corporate is actively monitoring and routinely patching affected Splunk Cloud Platform situations to make sure buyer safety.
As an interim workaround, organizations can disable Splunk Internet performance fully, successfully eliminating the assault vector for the reason that vulnerability particularly targets the net interface’s PDF era part.
This mitigation may be applied by the net.conf configuration file, although it could considerably affect consumer expertise and dashboard performance.
Safety groups ought to prioritize this replace given the potential for session hijacking and unauthorized code execution. Whereas the vulnerability requires authenticated entry, the low privilege necessities make it accessible to a broader vary of potential attackers.
Organizations also needs to assessment their consumer privilege assignments and take into account implementing extra monitoring across the pdfgen/render endpoint till patches are totally deployed throughout their Splunk infrastructure.
Dwell Credential Theft Assault Unmask & On the spot Protection – Free Webinar
