Reflected Cross-site Scripting (XSS) in '/app/search/table' endpoint through the 'dataset.command' parameter on Splunk Enterprise

Advisory ID: SVD-2025-1002

CVE ID: CVE-2025-20367

Published: 2025-10-01

Last Update: 2025-10-01

CVSSv3.1 Score: 5.7, Medium

CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

CWE: CWE-79

Bug ID: VULN-31955

Description

In Splunk Enterprise versions below 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.109, 9.3.2408.119, and 9.2.2406.122, a low-privileged user that does not hold the ‘admin’ or ‘power’ Splunk roles could craft a malicious payload through the dataset.command parameter of the /app/search/table endpoint, which could result in execution of unauthorized JavaScript code in the browser of a user.

Solution

Upgrade Splunk Enterprise to versions 9.4.4, 9.3.6, 9.2.8, or higher.

Splunk is actively monitoring and patching Splunk Cloud Platform instances.

Product Status

ProductBase VersionComponentAffected VersionFix Version
Splunk Enterprise10.0Splunk WebNot Affected10.0.0
Splunk Enterprise9.4Splunk Web9.4.0 to 9.4.39.4.4
Splunk Enterprise9.3Splunk Web9.3.0 to 9.3.59.3.6
Splunk Enterprise9.2Splunk Web9.2.0 to 9.2.79.2.8
Splunk Cloud Platform9.3.2411Splunk WebBelow 9.3.2411.1099.3.2411.109
Splunk Cloud Platform9.3.2408Splunk WebBelow 9.3.2408.1199.3.2408.119
Splunk Cloud Platform9.2.2406Splunk WebBelow 9.2.2406.1229.2.2406.122

Mitigations and Workarounds

The vulnerability affects instances with Splunk Web turned on, turning Splunk Web off is a possible workaround. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file for more information on disabling Splunk Web.

Detections

None

Severity

Splunk rates this vulnerability a 5.7, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N.

Acknowledgments

Danylo Dmytriiev (DDV_UA)

Anudeep Gandla, Splunk