Splunk Enterprise and Cloud Platform Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in Splunk Enterprise versions prior to 9.4.2, 9.3.4, and 9.2.6, as well as in Splunk Cloud Platform versions prior to 9.3.2411.102, 9.3.2408.111, and 9.2.2406.118. This vulnerability allows a low-privileged user, without 'admin' or 'power' roles, to send a crafted payload through the pdfgen/render REST endpoint. This could lead to the execution of unauthorized JavaScript in the browser of a user.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can inject malicious JavaScript that is executed in the context of the user's browser.

Remediation

Users of Splunk Enterprise should upgrade to versions 9.4.2, 9.3.4, or 9.2.6. For Splunk Cloud Platform users, the platform is actively monitored and patched. Additionally, turning off Splunk Web can mitigate this vulnerability.