Persistent Cross-Site Scripting (XSS) through a URL Validation Bypass within a Dashboard View

Advisory ID: SVD-2023-0605

CVE ID: CVE-2023-32711

Published: 2023-06-01

Last Update: 2023-06-01

CVSSv3.1 Score: 5.4, Medium

CWE: CWE-79

Bug ID: SPL-234890

Description

A Splunk dashboard view lets a low-privileged user exploit a vulnerability in the Bootstrap web framework (CVE-2019-8331) and build a stored cross-site scripting (XSS) payload.

Solution

For Splunk Enterprise, upgrade versions to 8.1.14, 8.2.11, 9.0.5, or higher.

This vulnerability does not affect Splunk Cloud Platform instances.

Product Status

ProductVersionComponentAffected VersionFix Version
Splunk Enterprise8.1Splunk Web8.1.0 to 8.1.138.1.14
Splunk Enterprise8.2Splunk Web8.2.0 to 8.2.108.2.11
Splunk Enterprise9.0Splunk Web9.0.0 to 9.0.49.0.5

Mitigations and Workarounds

If users do not log in to Splunk Web on indexers in a distributed environment, disable Splunk Web on those indexers. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file in the Splunk documentation for more information on disabling Splunk Web.

Detections

This detection search provides information on possible persistent XSS exploitation attempts within a dashboard view in Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14.

Severity

Splunk rated the vulnerability as Medium, 5.4, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N.

Acknowledgments

Danylo Dmytriiev (DDV_UA)