Cross-site Scripting (XSS) on “Show Syntax Highlighted” View in Search Page
Advisory ID: SVD-2023-1103
CVE ID: CVE-2023-46213
Last Update: 2023-11-20
CVSSv3.1 Score: 4.8, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Bug ID: VULN-5768
In Splunk Enterprise versions below 9.0.7 and 9.1.2, the “Show syntax highlighted” feature of the Search page does not effectively escape log file characters.
Upgrade Splunk Enterprise to versions 9.0.7 or 9.1.2.
Splunk is actively monitoring and patching Splunk Cloud Platform instances.
|Product||Version||Component||Affected Version||Fix Version|
|Splunk Enterprise||9.0||Splunk Web||9.0.0 to 9.0.6||9.0.7|
|Splunk Enterprise||9.1||Splunk Web||9.1.0 to 9.1.1||9.1.2|
|Splunk Cloud||-||Splunk Web||Versions below 9.1.2308||9.1.2308|
Mitigations and Workarounds
If users do not log in to Splunk Web on indexers in a distributed environment, disable Splunk Web on those indexers. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file in the Splunk documentation for more information on disabling Splunk Web.
Do not use the “Show syntax highlighted” feature in the Search page on imported log files whose origins you are not familiar with.
Splunk rates this vulnerability a 4.8, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
If the Splunk Enterprise instance does not run Splunk Web, it is not affected and this vulnerability can be considered Informational.
- 2023-11-20: Added relevant detection link