Reflected Cross-Site Scripting (XSS) on Splunk Enterprise through dashboard PDF generation component
Advisory ID: SVD-2025-0601
CVE ID: CVE-2025-20297
Published: 2025-06-02
Last Update: 2025-06-04
CVSSv3.1 Score: 4.3, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-79
Bug ID: VULN-26032
Description
In Splunk Enterprise versions below 9.4.2, 9.3.4 and 9.2.6, and Splunk Cloud Platform versions below 9.3.2411.102, 9.3.2408.111 and 9.2.2406.118, a low-privileged user that does not hold the “admin” or “power” Splunk roles could craft a malicious payload through the pdfgen/render REST endpoint that could result in execution of unauthorized JavaScript code in the browser of a user.
Solution
Upgrade Splunk Enterprise to versions 9.4.2, 9.3.4, 9.2.6, or higher.
Splunk is actively monitoring and patching Splunk Cloud Platform instances.
Product Status
Product | Base Version | Component | Affected Version | Fix Version |
---|---|---|---|---|
Splunk Enterprise | 9.4 | Splunk Web | 9.4.1 | 9.4.2 |
Splunk Enterprise | 9.3 | Splunk Web | 9.3.0 to 9.3.3 | 9.3.4 |
Splunk Enterprise | 9.2 | Splunk Web | 9.2.0 to 9.2.5 | 9.2.6 |
Splunk Enterprise | 9.1 | Splunk Web | Not Affected | |
Splunk Cloud Platform | 9.3.2411 | Splunk Web | Below 9.3.2411.102 | 9.3.2411.102 |
Splunk Cloud Platform | 9.3.2408 | Splunk Web | Below 9.3.2408.111 | 9.3.2408.111 |
Splunk Cloud Platform | 9.2.2406 | Splunk Web | Below 9.2.2406.118 | 9.2.2406.118 |
Mitigations and Workarounds
The vulnerability affects instances with Splunk Web enabled, turning Splunk Web off is a possible workaround. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file for more information on disabling Splunk Web.
Detections
None
Severity
Splunk rates this vulnerability a 4.3, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N.
Acknowledgments
Klevis Luli, Splunk
Changelog
- 2025-06-04: Updated the list of affected versions in the security advisory