Persistent Cross-site Scripting (XSS) in Web Bulletin

Advisory ID: SVD-2024-0713

CVE ID: CVE-2024-36993

Published: 2024-07-01

Last Update: 2024-07-01

CVSSv3.1 Score: 5.4, Medium


Bug ID: VULN-15649


In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200 and 9.1.2308.207, a low-privileged user that does not hold the “admin” or “power” Splunk roles could craft a malicious payload through a Splunk Web Bulletin Messages that could result in execution of unauthorized JavaScript code in the browser of a user.

Splunk Web Bulletin Messages would not sanitize the “data-toggle” and “data-remote” attributes which could lead to a Stored Cross-site Scripting (XSS) exploit.


Upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, and 9.0.10, or higher.

Splunk is performing upgrades on Splunk Cloud Platform instances as part of Routine Maintenance for customers, as described in the Splunk Cloud Platform Maintenance Policy. In the meantime, Splunk is actively monitoring for potential issues that could arise from this vulnerability.

Product Status

ProductVersionComponentAffected VersionFix Version
Splunk Enterprise9.2Splunk Web9.2.0 to
Splunk Enterprise9.1Splunk Web9.1.0 to
Splunk Enterprise9.0Splunk Web9.0.0 to
Splunk Cloud Platform9.1.2312Splunk WebBelow 9.1.2312.2009.1.2312.200
Splunk Cloud Platform9.1.2308Splunk WebBelow 9.1.2308.2079.1.2308.207

Mitigations and Workarounds

The vulnerability affects instances with Splunk Web enabled, turning Splunk Web off is a possible workaround. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file for more information on disabling Splunk Web.



Splunk rates this vulnerability as 5.4, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N.

If the Splunk Enterprise instance does not run Splunk Web, there should be no impact and the severity would be informational.


Anton (therceman)