Reflected Cross-site Scripting (XSS) on "/app/search/table" web endpoint
Advisory ID: SVD-2023-0801
CVE ID: CVE-2023-40592
Published: 2023-08-30
Last Update: 2023-10-18
CVSSv3.1 Score: 8.4, High
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-79
Bug ID: VULN-5287
Description
In Splunk Enterprise versions below 9.1.1, 9.0.6, and 8.2.12, an attacker can craft a special web request that can result in reflected cross-site scripting (XSS) on the “/app/search/table” web endpoint, which presents as the “Create Table View” page in Splunk Web. Exploitation of this vulnerability can lead to the execution of arbitrary commands on the Splunk platform instance.
A JavaScript file within this web endpoint does not properly validate input which lets an attacker insert a payload into a function.
Solution
Upgrade Splunk Enterprise to versions 8.2.12, 9.0.6, or 9.1.1.
Splunk is actively monitoring and patching Splunk Cloud Platform instances.
Product Status
| Product | Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 8.2 | Splunk Web | 8.2.0 to 8.2.11 | 8.2.12 |
| Splunk Enterprise | 9.0 | Splunk Web | 9.0.0 to 9.0.5 | 9.0.6 |
| Splunk Enterprise | 9.1 | Splunk Web | 9.1.0 | 9.1.1 |
| Splunk Cloud | - | Splunk Web | 9.0.2305.100 and below | 9.0.2305.200 |
Mitigations and Workarounds
If users do not log in to Splunk Web on indexers in a distributed environment, disable Splunk Web on those indexers. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file in the Splunk documentation for more information on disabling Splunk Web.
Detections
Severity
Splunk rated this vulnerability as 8.4, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
Acknowledgments
Danylo Dmytriiev (DDV_UA)