Persistent Cross-Site Scripting (XSS) through Scheduled Views on Splunk Enterprise
Advisory ID: SVD-2024-1010
CVE ID: CVE-2024-45740
Published: 2024-10-14
Last Update: 2024-10-14
CVSSv3.1 Score: 5.4, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
Bug ID: VULN-16899
Description
In Splunk Enterprise versions below 9.2.3 and 9.1.6 and Splunk Cloud Platform versions below 9.2.2403, a low-privileged user that does not hold the “admin” or “power” Splunk roles could craft a malicious payload through Scheduled Views that could result in execution of unauthorized JavaScript code in the browser of a user.
Solution
Upgrade Splunk Enterprise to versions 9.3.0, 9.2.3, 9.1.6, or higher.
Splunk is actively monitoring and patching Splunk Cloud Platform instances.
Product Status
| Product | Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 9.3 | Splunk Web | Not affected | 9.3.0 |
| Splunk Enterprise | 9.2 | Splunk Web | 9.2.0 to 9.2.2 | 9.2.3 |
| Splunk Enterprise | 9.1 | Splunk Web | 9.1.0 to 9.1.5 | 9.1.6 |
| Splunk Cloud Platform | 9.2.2403 | Splunk Web | Below 9.2.2403 | 9.2.2403.100 |
Mitigations and Workarounds
The vulnerability affects instances with Splunk Web enabled, turning Splunk Web off is a possible workaround. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file for more information on disabling Splunk Web.
Detections
Severity
Splunk rates this vulnerability as 5.4, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N.
If the Splunk Enterprise instance does not run Splunk Web, there should be no impact and the severity would be informational.
Acknowledgments
Danylo Dmytriiev (DDV_UA)