Reflected Cross-Site Scripting (XSS) on Splunk Enterprise through dashboard PDF generation component

Advisory ID: SVD-2025-0601

CVE ID: CVE-2025-20297

Published: 2025-06-02

Last Update: 2025-06-04

CVSSv3.1 Score: 4.3, Medium

CWE: CWE-79

Bug ID: VULN-26032

Description

In Splunk Enterprise versions below 9.4.2, 9.3.4 and 9.2.6, and Splunk Cloud Platform versions below 9.3.2411.102, 9.3.2408.111 and 9.2.2406.118, a low-privileged user that does not hold the “admin” or “power” Splunk roles could craft a malicious payload through the pdfgen/render REST endpoint that could result in execution of unauthorized JavaScript code in the browser of a user.

Solution

Upgrade Splunk Enterprise to versions 9.4.2, 9.3.4, 9.2.6, or higher.

Splunk is actively monitoring and patching Splunk Cloud Platform instances.

Product Status

ProductBase VersionComponentAffected VersionFix Version
Splunk Enterprise9.4Splunk Web9.4.19.4.2
Splunk Enterprise9.3Splunk Web9.3.0 to 9.3.39.3.4
Splunk Enterprise9.2Splunk Web9.2.0 to 9.2.59.2.6
Splunk Enterprise9.1Splunk WebNot Affected
Splunk Cloud Platform9.3.2411Splunk WebBelow 9.3.2411.1029.3.2411.102
Splunk Cloud Platform9.3.2408Splunk WebBelow 9.3.2408.1119.3.2408.111
Splunk Cloud Platform9.2.2406Splunk WebBelow 9.2.2406.1189.2.2406.118

Mitigations and Workarounds

The vulnerability affects instances with Splunk Web enabled, turning Splunk Web off is a possible workaround. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file for more information on disabling Splunk Web.

Detections

None

Severity

Splunk rates this vulnerability a 4.3, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N.

Acknowledgments

Klevis Luli, Splunk

Changelog

  • 2025-06-04: Updated the list of affected versions in the security advisory