Splunk Enterprise and Cloud Platform Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in Splunk Enterprise versions prior to 9.4.4, 9.3.6, and 9.2.8, as well as in Splunk Cloud Platform versions prior to 9.3.2411.109, 9.3.2408.119, and 9.2.2406.122. This vulnerability allows a low-privileged user, without 'admin' or 'power' roles, to inject a malicious payload via the 'dataset.command' parameter of the '/app/search/table' endpoint. The injected payload could execute unauthorized JavaScript code in the browser of the affected user.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can execute malicious JavaScript in the context of the user's browser.

Remediation

Users of Splunk Enterprise should upgrade to versions 9.4.4, 9.3.6, or 9.2.8. For Splunk Cloud Platform users, no action is needed as Splunk is actively monitoring and patching instances. Additionally, turning off Splunk Web can mitigate this vulnerability.