Splunk URL Validation Bypass Vulnerability in Views Dashboard

A vulnerability exists in Splunk Enterprise versions prior to 10.0.2, 9.4.6, 9.3.8, and 9.2.10, as well as in Splunk Cloud Platform versions prior to 10.1.2507.10, 10.0.2503.8, and 9.3.2411.120. The issue allows low-privileged users, who do not have 'admin' or 'power' roles, to create a views dashboard with a custom background using the 'data:image/png;base64' protocol. This could lead to an unvalidated redirect, bypassing Splunk's external URL warning mechanism and redirecting users to a malicious external site. Exploitation requires phishing the victim into initiating a request in their browser.

Impact

Exploitation of this vulnerability could lead to an unvalidated redirect, allowing for phishing or other malicious activities.

Remediation

Users of Splunk Enterprise should upgrade to versions 10.0.2, 9.4.6, 9.3.8, 9.2.10, or higher. For Splunk Cloud Platform, no action is needed as Splunk is actively monitoring and patching instances. As a workaround, Splunk Web can be disabled.