Multiple Splunk Enterprise Vulnerabilities Let Attackers Execute Unauthorized JavaScript code


Splunk has released patches for multiple vulnerabilities in its Enterprise and Cloud Platform products, some of which could allow attackers to execute unauthorized JavaScript code, access sensitive information, or cause a denial-of-service (DoS) condition.

The advisories, published on October 1, 2025, detail six security flaws, with severity ratings ranging from Medium to High.

The most critical vulnerability is a Server-Side Request Forgery (SSRF) flaw, tracked as CVE-2025-20371, with a high CVSS score of 7.5.

This vulnerability could allow an unauthenticated attacker to trigger a blind SSRF, potentially enabling them to perform REST API calls on behalf of an authenticated, high-privileged user.

Successful exploitation requires the enableSplunkWebClientNetloc setting to be enabled and likely involves phishing the victim to initiate a request from their browser.

Code Execution and Information Disclosure Flaws

Two vulnerabilities directly address the execution of unauthorized JavaScript code, a form of cross-site scripting (XSS).

google

  • CVE-2025-20367 (CVSS: 5.7): A low-privileged user can craft a malicious payload through the dataset.command parameter of a specific endpoint, leading to the execution of JavaScript code in a user’s browser.
  • CVE-2025-20368 (CVSS: 5.7): Similarly, a low-privileged user can inject a malicious payload into the error messages and job inspection details of a saved search, resulting in unauthorized code execution.

Another significant flaw, CVE-2025-20366 (CVSS: 6.5), allows for information disclosure. In this scenario, a low-privileged user without ‘admin’ or ‘power’ roles could access the results of an administrative search job running in the background.

If the attacker correctly guesses the unique Search ID (SID) of the job, they could retrieve potentially sensitive search results.

Denial of Service and XXE Vulnerabilities

The security update also addresses three medium-severity vulnerabilities that could impact system availability and integrity:

  • CVE-2025-20370 (CVSS: 4.9): A user with the change_authentication capability can send multiple LDAP bind requests to an internal endpoint, causing high CPU usage and a potential DoS that requires an instance restart to resolve.
  • CVE-2025-20369 (CVSS: 4.6): A low-privileged user can perform an XML External Entity (XXE) injection through the dashboard tab label field, which could also lead to a DoS attack.

Affected Products and Mitigations

The vulnerabilities affect multiple versions of Splunk Enterprise and Splunk Cloud Platform. The affected Splunk Enterprise versions include those below 9.4.4, 9.3.6, and 9.2.8. For some flaws, version 10.0.0 is also affected.

Splunk has released patches and urges customers to upgrade to the following or later versions:

CVE ID Vulnerability Type CVSS 3.1 Score Affected Product Affected Versions Fixed Versions
CVE-2025-20366 Information Disclosure 6.5 (Medium) Splunk Enterprise 9.4.0 – 9.4.3 9.3.0 – 9.3.5 9.2.0 – 9.2.7 9.4.4 9.3.6 9.2.8
Splunk Cloud Platform Below 9.3.2411.111 Below 9.3.2408.119 Below 9.2.2406.122 9.3.2411.111 9.3.2408.119 9.2.2406.122
CVE-2025-20367 Cross-Site Scripting (XSS) 5.7 (Medium) Splunk Enterprise 9.4.0 – 9.4.3 9.3.0 – 9.3.5 9.2.0 – 9.2.7 9.4.4 9.3.6 9.2.8
Splunk Cloud Platform Below 9.3.2411.109 Below 9.3.2408.119 Below 9.2.2406.122 9.3.2411.109 9.3.2408.119 9.2.2406.122
CVE-2025-20368 Cross-Site Scripting (XSS) 5.7 (Medium) Splunk Enterprise 9.4.0 – 9.4.3 9.3.0 – 9.3.5 9.2.0 – 9.2.7 9.4.4 9.3.6 9.2.8
Splunk Cloud Platform Below 9.3.2411.108 Below 9.3.2408.118 Below 9.2.2406.123 9.3.2411.108 9.3.2408.118 9.2.2406.123
CVE-2025-20369 XXE Injection 4.6 (Medium) Splunk Enterprise 9.4.0 – 9.4.3 9.3.0 – 9.3.5 9.2.0 – 9.2.7 9.4.4 9.3.6 9.2.8
Splunk Cloud Platform Below 9.3.2411.108 Below 9.3.2408.118 Below 9.2.2406.123 9.3.2411.108 9.3.2408.118 9.2.2406.123
CVE-2025-20370 Denial of Service (DoS) 4.9 (Medium) Splunk Enterprise 10.0.0 9.4.0 – 9.4.3 9.3.0 – 9.3.5 9.2.0 – 9.2.7 10.0.1 9.4.4 9.3.6 9.2.8
Splunk Cloud Platform Below 9.3.2411.108 Below 9.3.2408.118 Below 9.2.2406.123 9.3.2411.108 9.3.2408.118 9.2.2406.123
CVE-2025-20371 Server-Side Request Forgery (SSRF) 7.5 (High) Splunk Enterprise 10.0.0 9.4.0 – 9.4.3 9.3.0 – 9.3.5 9.2.0 – 9.2.7 10.0.1 9.4.4 9.3.6 9.2.8
Splunk Cloud Platform Below 9.3.2411.109 Below 9.3.2408.119 Below 9.2.2406.122 9.3.2411.109 9.3.2408.119 9.2.2406.122

Splunk has confirmed it is actively patching all Splunk Cloud Platform instances and will notify customers upon completion.

For users unable to apply the updates immediately, several workarounds are available. A common mitigation for many of the vulnerabilities is to disable Splunk Web if it is not required.

For the SSRF flaw (CVE-2025-20371), administrators can mitigate the risk by setting enableSplunkWebClientNetloc to false in the web.conf file.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

googlenews



Source link

About Cybernoz

Security researcher and threat analyst with expertise in malware analysis and incident response.