Splunk Stored Cross-Site Scripting Vulnerability via Navigation Bar Collections

A stored cross-site scripting vulnerability has been identified in Splunk Enterprise versions prior to 10.0.2, 9.4.6, 9.3.8, and 9.2.10, as well as in Splunk Cloud Platform versions prior to 10.1.2507.6, 10.0.2503.7, and 9.3.2411.117. This vulnerability allows users with the 'admin_all_objects' capability to inject malicious JavaScript into the href attribute of an anchor tag within a navigation bar collection. The injected script is then executed in the browser of another user.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected JavaScript is executed in the context of the user’s browser.

Remediation

Users are advised to upgrade Splunk Enterprise to versions 10.0.2, 9.4.6, 9.3.8, 9.2.10 or higher. For Splunk Cloud Platform, no action is needed as Splunk is actively monitoring and patching instances. If Splunk Web is enabled, it can be turned off as a workaround.