Reflected Cross-site Scripting (XSS) on "/app/search/table" web endpoint

Advisory ID: SVD-2023-0801

CVE ID: CVE-2023-40592

Published: 2023-08-30

Last Update: 2023-10-18

CVSSv3.1 Score: 8.4, High

CWE: CWE-79

Bug ID: VULN-5287

Description

In Splunk Enterprise versions below 9.1.1, 9.0.6, and 8.2.12, an attacker can craft a special web request that can result in reflected cross-site scripting (XSS) on the “/app/search/table” web endpoint, which presents as the “Create Table View” page in Splunk Web. Exploitation of this vulnerability can lead to the execution of arbitrary commands on the Splunk platform instance.

A JavaScript file within this web endpoint does not properly validate input which lets an attacker insert a payload into a function.

Solution

Upgrade Splunk Enterprise to versions 8.2.12, 9.0.6, or 9.1.1.

Splunk is actively monitoring and patching Splunk Cloud Platform instances.

Product Status

ProductVersionComponentAffected VersionFix Version
Splunk Enterprise8.2Splunk Web8.2.0 to 8.2.118.2.12
Splunk Enterprise9.0Splunk Web9.0.0 to 9.0.59.0.6
Splunk Enterprise9.1Splunk Web9.1.09.1.1
Splunk Cloud-Splunk Web9.0.2305.100 and below9.0.2305.200

Mitigations and Workarounds

If users do not log in to Splunk Web on indexers in a distributed environment, disable Splunk Web on those indexers. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file in the Splunk documentation for more information on disabling Splunk Web.

Detections

Severity

Splunk rated this vulnerability as 8.4, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

Acknowledgments

Danylo Dmytriiev (DDV_UA)