Splunk Enterprise Flaws Allow Attackers to Run Unauthorized JavaScript Code

Splunk released security advisories addressing multiple vulnerabilities affecting various versions of Splunk Enterprise and Splunk Cloud Platform.

The flaws range from cross-site scripting (XSS) vulnerabilities to access control bypasses, with CVSS scores ranging from 4.6 to 7.5.

Critical Vulnerabilities Identified

The security advisories reveal six distinct vulnerabilities that primarily affect Splunk Web components.

Two cross-site scripting flaws enable low-privileged users to execute malicious JavaScript code in victim browsers. 

CVE-2025-20367 targets the /app/search/table endpoint through the dataset.command parameter, while CVE-2025-20368 exploits error messages and job inspection details in saved searches.

The most severe vulnerability, CVE-2025-20371, scored 7.5 on the CVSS scale and represents an unauthenticated blind server-side request forgery attack.

This flaw could allow attackers to perform REST API calls on behalf of authenticated high-privileged users, though it requires specific configuration settings and user interaction.

CVE-2025-20366 presents an improper access control issue where low-privileged users can access sensitive search results by guessing unique Search IDs from background administrative jobs.

This vulnerability scored 6.5 on the CVSS scale and affects the core functionality of background job submissions.

Additional vulnerabilities include CVE-2025-20369, an XML External Entity injection through dashboard label fields that could cause denial-of-service attacks, and CVE-2025-20370, which enables high-privileged users to trigger DoS conditions through multiple LDAP bind requests.

Affected Products and Versions

The vulnerabilities impact multiple Splunk Enterprise versions below 9.4.4, 9.3.6, and 9.2.8. Splunk Cloud Platform versions below specific build numbers are also affected.

Notably, Splunk Enterprise 10.0.0 is vulnerable to the LDAP DoS and SSRF attacks but remains unaffected by the XSS and access control issues.

All vulnerabilities primarily target the Splunk Web component, with the exception of the SSRF flaw affecting the REST API.

The common attack vector involves low-privileged users exploiting web-based interfaces to compromise system integrity or access unauthorized data.

Organizations using affected Splunk versions should immediately upgrade to the latest patched releases: 10.0.1, 9.4.4, 9.3.6, or 9.2.8 for Splunk Enterprise. Splunk is actively monitoring and patching Cloud Platform instances automatically.

For environments where immediate patching isn’t feasible, administrators can implement several workarounds.

Disabling Splunk Web protects against most vulnerabilities, though this may impact functionality. For the SSRF vulnerability, setting enableSplunkWebClientNetloc to false in the web.conf configuration file mitigates the risk.

The LDAP DoS vulnerability can be mitigated by removing the change_authentication capability from user roles that don’t require this high-privilege access level.

These vulnerabilities highlight the importance of maintaining updated Splunk installations and implementing proper access controls.

Organizations should regularly review user privileges and ensure low-privileged accounts have minimal necessary permissions.

Security teams should monitor for unusual search job access patterns and implement network segmentation to limit the impact of potential SSRF attacks.

Regular security assessments of Splunk configurations can help identify vulnerable settings before they’re exploited.

The discovery of multiple XSS vulnerabilities emphasizes the need for input validation and output encoding in web applications, particularly those handling user-generated content and search queries.

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.