Persistent Cross-Site Scripting (XSS) through a URL Validation Bypass within a Dashboard View
Advisory ID: SVD-2023-0605
CVE ID: CVE-2023-32711
Published: 2023-06-01
Last Update: 2023-06-01
CVSSv3.1 Score: 5.4, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
Bug ID: SPL-234890
Description
A Splunk dashboard view lets a low-privileged user exploit a vulnerability in the Bootstrap web framework (CVE-2019-8331) and build a stored cross-site scripting (XSS) payload.
Solution
For Splunk Enterprise, upgrade versions to 8.1.14, 8.2.11, 9.0.5, or higher.
This vulnerability does not affect Splunk Cloud Platform instances.
Product Status
| Product | Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 8.1 | Splunk Web | 8.1.0 to 8.1.13 | 8.1.14 |
| Splunk Enterprise | 8.2 | Splunk Web | 8.2.0 to 8.2.10 | 8.2.11 |
| Splunk Enterprise | 9.0 | Splunk Web | 9.0.0 to 9.0.4 | 9.0.5 |
Mitigations and Workarounds
If users do not log in to Splunk Web on indexers in a distributed environment, disable Splunk Web on those indexers. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file in the Splunk documentation for more information on disabling Splunk Web.
Detections
This detection search provides information on possible persistent XSS exploitation attempts within a dashboard view in Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14.
Severity
Splunk rated the vulnerability as Medium, 5.4, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N.
Acknowledgments
Danylo Dmytriiev (DDV_UA)