Persistent Cross-Site Scripting (XSS) through a URL Validation Bypass within a Dashboard View
Advisory ID: SVD-2023-0605
CVE ID: CVE-2023-32711
Last Update: 2023-06-01
CVSSv3.1 Score: 5.4, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Bug ID: SPL-234890
A Splunk dashboard view lets a low-privileged user exploit a vulnerability in the Bootstrap web framework (CVE-2019-8331) and build a stored cross-site scripting (XSS) payload.
For Splunk Enterprise, upgrade versions to 8.1.14, 8.2.11, 9.0.5, or higher.
This vulnerability does not affect Splunk Cloud Platform instances.
|Product||Version||Component||Affected Version||Fix Version|
|Splunk Enterprise||8.1||Splunk Web||8.1.0 to 8.1.13||8.1.14|
|Splunk Enterprise||8.2||Splunk Web||8.2.0 to 8.2.10||8.2.11|
|Splunk Enterprise||9.0||Splunk Web||9.0.0 to 9.0.4||9.0.5|
Mitigations and Workarounds
If users do not log in to Splunk Web on indexers in a distributed environment, disable Splunk Web on those indexers. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file in the Splunk documentation for more information on disabling Splunk Web.
This detection search provides information on possible persistent XSS exploitation attempts within a dashboard view in Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14.
Splunk rated the vulnerability as Medium, 5.4, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N.
Danylo Dmytriiev (DDV_UA)