Cross-site Scripting (XSS) on “Show Syntax Highlighted” View in Search Page

Advisory ID: SVD-2023-1103

CVE ID: CVE-2023-46213

Published: 2023-11-16

Last Update: 2023-11-20

CVSSv3.1 Score: 4.8, Medium

CWE: CWE-79

Bug ID: VULN-5768

Description

In Splunk Enterprise versions below 9.0.7 and 9.1.2, the “Show syntax highlighted” feature of the Search page does not effectively escape log file characters.

This vulnerability lets an attacker craft a log file which can execute unauthorized Javascript code in the browser of a user that interacts with events in the malicious log file in a specific way.

Solution

Upgrade Splunk Enterprise to versions 9.0.7 or 9.1.2.

Splunk is actively monitoring and patching Splunk Cloud Platform instances.

Product Status

ProductVersionComponentAffected VersionFix Version
Splunk Enterprise9.0Splunk Web9.0.0 to 9.0.69.0.7
Splunk Enterprise9.1Splunk Web9.1.0 to 9.1.19.1.2
Splunk Cloud-Splunk WebVersions below 9.1.23089.1.2308

Mitigations and Workarounds

If users do not log in to Splunk Web on indexers in a distributed environment, disable Splunk Web on those indexers. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file in the Splunk documentation for more information on disabling Splunk Web.
Do not use the “Show syntax highlighted” feature in the Search page on imported log files whose origins you are not familiar with.

Detections

Severity

Splunk rates this vulnerability a 4.8, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
If the Splunk Enterprise instance does not run Splunk Web, it is not affected and this vulnerability can be considered Informational.

Acknowledgments

Joshua Neubecker

Changelog

  • 2023-11-20: Added relevant detection link