Information Disclosure through external content warning modal dialog box bypass in Splunk Enterprise Dashboard Studio
Advisory ID: SVD-2025-0306
CVE ID: CVE-2025-20227
Published: 2025-03-26
Last Update: 2025-03-26
CVSSv3.1 Score: 4.3, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-20
Bug ID: VULN-21589
Description
In Splunk Enterprise versions below 9.4.1, 9.3.3, 9.2.5, and 9.1.8, and Splunk Cloud Platform versions below 9.3.2408.107, 9.2.2406.112, 9.2.2403.115, 9.1.2312.208 and 9.1.2308.214, a low-privileged user that does not hold the “admin“ or “power“ Splunk roles could bypass the external content warning modal dialog box in Dashboard Studio dashboards which could lead to an information disclosure.
For more information about configuring trusted external domains for dashboards, see Configure Dashboards Trusted Domains List.
Solution
Upgrade Splunk Enterprise to versions 9.1.8, 9.2.5, 9.3.3, 9.4.1, or higher.
Splunk is actively monitoring and patching Splunk Cloud Platform instances.
Product Status
| Product | Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 9.4 | Splunk Dashboards | 9.4.0 | 9.4.1 |
| Splunk Enterprise | 9.3 | Splunk Dashboards | 9.3.0 to 9.3.2 | 9.3.3 |
| Splunk Enterprise | 9.2 | Splunk Dashboards | 9.2.0 to 9.2.4 | 9.2.5 |
| Splunk Enterprise | 9.1 | Splunk Dashboards | 9.1.0 to 9.1.7 | 9.1.8 |
| Splunk Cloud Platform | 9.3.2408 | Splunk Dashboards | 9.3.2408.100 to 9.3.2408.106 | 9.3.2408.107 |
| Splunk Cloud Platform | 9.2.2406 | Splunk Dashboards | 9.2.2406.100 to 9.2.2406.112 | 9.2.2406.113 |
| Splunk Cloud Platform | 9.2.2403 | Splunk Dashboards | Below 9.2.2403.115 | 9.2.2403.115 |
| Splunk Cloud Platform | 9.1.2312 | Splunk Dashboards | Below 9.1.2312.208 | 9.1.2312.208 |
| Splunk Cloud Platform | 9.1.2308 | Splunk Dashboards | Below 9.1.2308.214 | 9.1.2308.214 |
Mitigations and Workarounds
The vulnerability affects instances with Splunk Web turned on. Turning Splunk Web off is a possible workaround.
See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file for more information on disabling Splunk Web.
Detections
None
Severity
Splunk rates this vulnerability a 4.3, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N.
Acknowledgments
Taihei Shimamine