Stored Cross-Site scripting (XSS) through Anchor Tag "href" in Navigation Bar Collections in Splunk Enterprise

Description

In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.6, 10.0.2503.7, and 9.3.2411.117, a user who holds a role with a high privilege capability admin_all_objects could craft a malicious payload through the href attribute of an anchor tag within a collection in the navigation bar, which could result in execution of unauthorized JavaScript code in the browser of a user.

See Define roles on the Splunk platform with capabilities and https://dev.splunk.com/enterprise/docs/developapps/createapps/addnavsplunkapp/

Solution

Upgrade Splunk Enterprise to versions 10.0.2, 9.4.6, 9.3.8, 9.2.10, or higher.

Splunk is actively monitoring and patching Splunk Cloud Platform instances.

Product Status

Mitigations and Workarounds

The vulnerability affects instances with Splunk Web enabled, turning Splunk Web off is a possible workaround. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file for more information on disabling Splunk Web.

Detections

None

Severity

Splunk rates this vulnerability a 2.4, Low, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N.

Acknowledgments

Dr. Oliver Matula, DB Systel GmbH