Splunk Stored Cross-Site Scripting Vulnerability via Path Traversal

A stored cross-site scripting vulnerability has been identified in Splunk Enterprise and Splunk Cloud Platform. In Splunk Enterprise versions prior to 10.2.0, 10.0.3, 9.4.9, and 9.3.9, as well as in Splunk Cloud Platform versions prior to 10.2.2510.4, 10.1.2507.15, 10.0.2503.11, and 9.3.2411.123, a low-privileged user without 'admin' or 'power' roles could exploit a path traversal vulnerability. This allowed the user to inject a malicious payload while creating a new View through the REST API endpoint '/manager/launcher/data/ui/views/_new'. The injected JavaScript could then be executed in the browser of another user, potentially leading to unauthorized actions or data exposure. Exploitation requires phishing the victim into triggering the request in their browser.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected JavaScript is executed in the context of the user's browser.

Remediation

Users of Splunk Enterprise should upgrade to versions 10.2.0, 10.0.3, 9.4.9, or 9.3.9. For Splunk Cloud Platform, instances are being monitored and patched by Splunk. As a possible workaround, users can turn off Splunk Web, which disables the component that allows exploitation. Instructions for managing Splunk Web are available in the Splunk documentation.