Headline
CVE-2023-40592: Reflected Cross-site Scripting (XSS) on
In Splunk Enterprise versions below 9.1.1, 9.0.6, and 8.2.12, an attacker can craft a special web request that can result in reflected cross-site scripting (XSS) on the “/app/search/table” web endpoint. Exploitation of this vulnerability can lead to the execution of arbitrary commands on the Splunk platform instance.
Reflected Cross-site Scripting (XSS) on “/app/search/table” web endpoint
Advisory ID: SVD-2023-0801
Published: 2023-08-30
Last Update: 2023-08-30
CVSSv3.1 Score: 8.4, High
Description
In Splunk Enterprise versions below 9.1.1, 9.0.6, and 8.2.12, an attacker can craft a special web request that can result in reflected cross-site scripting (XSS) on the “/app/search/table” web endpoint, which presents as the “Create Table View” page in Splunk Web. Exploitation of this vulnerability can lead to the execution of arbitrary commands on the Splunk platform instance. A JavaScript file within this web endpoint does not properly validate input which lets an attacker insert a payload into a function.
Solution
Upgrade Splunk Enterprise to versions 8.2.12, 9.0.6, or 9.1.1. Splunk is actively monitoring and patching Splunk Cloud Platform instances.
Product Status
Product
Version
Component
Affected Version
Fix Version
Splunk Enterprise
8.2
Splunk Web
8.2.0 to 8.2.11
8.2.12
Splunk Enterprise
9.0
Splunk Web
9.0.0 to 9.0.5
9.0.6
Splunk Enterprise
9.1
Splunk Web
9.1.0
9.1.1
Splunk Cloud
-
Splunk Web
9.0.2305.100 and below
9.0.2305.200
Mitigations and Workarounds
If users do not log in to Splunk Web on indexers in a distributed environment, disable Splunk Web on those indexers. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file in the Splunk documentation for more information on disabling Splunk Web.
Detections
None
Severity
Splunk rated this vulnerability as 8.4, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
Acknowledgments
Danylo Dmytriiev (DDV_UA)