The vulnerabilities, published on October 1, 2025, impact various components of Splunk Web and require immediate attention from organizations using the platform.
Two of the most significant vulnerabilities involve cross-site scripting (XSS) attacks that could enable unauthorized JavaScript execution in user browsers.
CVE-2025-20367 represents a reflected XSS vulnerability in the /app/search/table endpoint with a CVSS score of 5.7.
Low-privileged users who do not hold admin or power roles could craft malicious payloads through the dataset.command parameter, potentially compromising other users’ sessions and stealing sensitive information.
CVE-2025-20368 presents a stored XSS vulnerability through missing field warning messages in Saved Search and Job Inspector functionality, also rated at CVSS 5.7.
This vulnerability allows attackers to inject malicious JavaScript code through error messages and job inspection details of saved searches, creating persistent threats that could affect multiple users accessing the compromised content.
CVE-2025-20366 addresses an improper access control vulnerability in background job submission functionality, rated at CVSS 6.5. The vulnerability allows low-privileged users to access sensitive search results by guessing the unique Search ID (SID) of administrative search jobs running in the background.
This vulnerability could expose confidential data and search analytics to unauthorized users who successfully enumerate valid SIDs.
The most severe vulnerability in this batch is CVE-2025-20371, an unauthenticated blind server-side request forgery (SSRF) vulnerability with a CVSS score of 7.5.
This vulnerability could allow unauthenticated attackers to trigger SSRF attacks and perform REST API calls on behalf of authenticated high-privileged users.
The vulnerability requires the enableSplunkWebClientNetloc setting to be enabled and likely involves social engineering to trick victims into initiating requests from their browsers.
CVE-2025-20369 represents an XML External Entity (XXE) injection vulnerability through dashboard label fields, rated at CVSS 4.6. Low-privileged users could exploit this vulnerability to perform XXE injections that may result in denial-of-service attacks against Splunk instances.
CVE-2025-20370 involves a denial-of-service vulnerability through multiple LDAP bind requests, with a CVSS score of 4.9.
Users holding roles with the change_authentication capability could send multiple LDAP bind requests to internal endpoints, causing high CPU usage and potentially rendering Splunk Enterprise instances unavailable until restart.
All vulnerabilities affect Splunk Enterprise versions below 9.4.4, 9.3.6, and 9.2.8, with some also impacting version 10.0.0. Splunk Cloud Platform installations below specific build numbers are also vulnerable. Organizations should immediately upgrade to the following fixed versions:
For organizations unable to immediately upgrade, Splunk recommends disabling Splunk Web as a temporary workaround for most vulnerabilities.
The SSRF vulnerability can be mitigated by setting enableSplunkWebClientNetloc to false in the web.conf configuration file. The LDAP DoS vulnerability can be addressed by removing the change_authentication capability from user roles where not required.
The discovery of these vulnerabilities highlights the importance of maintaining current security patches and implementing defense-in-depth strategies.
Organizations should prioritize upgrading their Splunk installations and review user permissions to minimize potential attack surfaces while patches are applied.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
The post Splunk Enterprise Vulnerabilities Allow Remote JavaScript Injection Attacks appeared first on Cyber Security News.
Between Two Ferns with Zach Galifianakis made waves in the twenty-tens for its awkward interviews…
Fresh leaks point to a major change for the upcoming witchcraft-themed Assassin's Creed Hexe, and…
Diablo 4: Lord of Hatred — Diablo 4's second major expansion — is almost here,…
The Pokémon Company technical director Masaaki Hoshino has acknowledged continued fan scrutiny of the series'…
John Wick 5 just got a positive update that suggests the movie will be made…
When we think of modern architecture, we often think first of what’s called the International…
This website uses cookies.