Splunk has disclosed a reflected Cross-Site Scripting (XSS) vulnerability in its Enterprise and Cloud Platform products, tracked as CVE-2025-20297 and detailed in advisory SVD-2025-0601.
The flaw, rated medium with a CVSSv3.1 score of 4.3, affects the dashboard PDF generation component and exposes organizations to risks of unauthorized JavaScript execution by low-privileged users.
Exploitation via pdfgen/render Endpoint
The vulnerability resides in the pdfgen/render REST endpoint of Splunk Web, the component responsible for dashboard PDF generation.
.png
"Splunk Enterprise XSS Flaw Enables Attackers to Execute Unauthorized JavaScript 2")
In affected versions, a low-privileged user—one without “admin” or “power” roles—can craft a malicious payload that, when processed, results in the execution of unauthorized JavaScript in the browser of another user.
This is a classic example of a reflected XSS attack, classified under CWE-79.
The attack requires only authenticated access with minimal privileges and does not need user interaction, making it accessible to a broader range of attackers.
The CVSSv3.1 vector string is as follows:
textCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
- AV:N (Attack Vector: Network) – Exploitable remotely
- AC:L (Attack Complexity: Low) – No special conditions required
- PR:L (Privileges Required: Low) – Any authenticated user except admin/power
- UI:N (User Interaction: None) – No user action required
- S:U (Scope: Unchanged)
- C:L (Confidentiality Impact: Low) – Limited data exposure
- I:N (Integrity Impact: None)
- A:N (Availability Impact: None)
Affected Versions and Patch Guidance
The vulnerability affects both Splunk Enterprise and Splunk Cloud Platform across several version branches.
Notably, Splunk Enterprise 9.1 is not impacted.
The table below summarizes affected and fixed versions:
| Product | Base Version | Affected Versions | Fixed Version |
|---|---|---|---|
| Splunk Enterprise | 9.4 | 9.4.1 | 9.4.2 |
| Splunk Enterprise | 9.3 | 9.3.0 – 9.3.3 | 9.3.4 |
| Splunk Enterprise | 9.2 | 9.2.0 – 9.2.5 | 9.2.6 |
| Splunk Enterprise | 9.1 | Not Affected | 9.1.9 |
| Splunk Cloud Platform | 9.3.2411 | Below 9.3.2411.102 | 9.3.2411.102 |
| Splunk Cloud Platform | 9.3.2408 | Below 9.3.2408.111 | 9.3.2408.111 |
| Splunk Cloud Platform | 9.2.2406 | Below 9.2.2406.118 | 9.2.2406.118 |
Mitigation and Workarounds:
- Upgrade Splunk Enterprise to 9.4.2, 9.3.4, 9.2.6, or higher.
- Splunk Cloud Platform instances are being actively monitored and patched by Splunk.
- As a temporary workaround, organizations can disable Splunk Web (via the
web.confconfiguration file), which will eliminate the attack vector but may impact dashboard and PDF functionality.
Security Impact and Recommendations
According to the report, while the vulnerability’s CVSS score is moderate, the risk is elevated by the low privilege requirements and the lack of required user interaction.
Attackers exploiting this flaw could potentially hijack user sessions or exfiltrate sensitive data by injecting JavaScript into the PDF rendering process.
Security teams are advised to:
- Prioritize patching affected Splunk instances.
- Audit user privileges, limiting access where possible.
- Monitor for suspicious activity targeting the
pdfgen/renderendpoint. - Consider disabling Splunk Web if immediate patching is not feasible.
Splunk credits Klevis Luli for the discovery of the vulnerability.
No active exploitation has been reported as of the last update.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
Source link
