Extensible Markup Language (XML) External Entity Injection (XXE) through Dashboard label field on Splunk Enterprise
Advisory ID: SVD-2025-1004
CVE ID: CVE-2025-20369
Published: 2025-10-01
Last Update: 2025-10-01
CVSSv3.1 Score: 4.6, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L
CWE: CWE-776
Bug ID: VULN-13293
Description
In Splunk Enterprise versions below 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.108, 9.3.2408.118 and 9.2.2406.123, a low privilege user that does not hold the ‘admin’ or ‘power’ Splunk roles could perform an extensible markup language (XML) external entity (XXE) injection through the dashboard tab label field. The XXE injection has the potential to cause denial of service (DoS) attacks.
Solution
Upgrade Splunk Enterprise to versions 9.4.4, 9.3.6, 9.2.8 or higher.
Splunk is actively monitoring and patching Splunk Cloud Platform instances.
Product Status
| Product | Base Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 10.0 | Splunk Web | Not Affected | 10.0.0 |
| Splunk Enterprise | 9.4 | Splunk Web | 9.4.0 to 9.4.3 | 9.4.4 |
| Splunk Enterprise | 9.3 | Splunk Web | 9.3.0 to 9.3.5 | 9.3.6 |
| Splunk Enterprise | 9.2 | Splunk Web | 9.2.0 to 9.2.7 | 9.2.8 |
| Splunk Cloud Platform | 9.3.2411 | Splunk Web | Below 9.3.2411.108 | 9.3.2411.108 |
| Splunk Cloud Platform | 9.3.2408 | Splunk Web | Below 9.3.2408.118 | 9.3.2408.118 |
| Splunk Cloud Platform | 9.2.2406 | Splunk Web | Below 9.2.2406.123 | 9.2.2406.123 |
Mitigations and Workarounds
The vulnerability affects instances with Splunk Web enabled, turning Splunk Web off is a possible workaround. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file for more information on disabling Splunk Web.
Detections
None
Severity
Splunk rates this vulnerability a 4.6, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L.
Acknowledgments
Eric LaMothe, Splunk