CVE-2023-46213: Cross-site Scripting (XSS) on “Show Syntax Highlighted” View in Search Page

Advisory ID: SVD-2023-1103

Published: 2023-11-16

Last Update: 2023-11-16

CVSSv3.1 Score: 4.8, Medium

Description

In Splunk Enterprise versions below 9.0.7 and 9.1.2, the “Show syntax highlighted” feature of the Search page does not effectively escape log file characters.

This vulnerability lets an attacker craft a log file which can execute unauthorized Javascript code in the browser of a user that interacts with events in the malicious log file in a specific way.

Solution

Upgrade Splunk Enterprise to versions 9.0.7 or 9.1.2.

Splunk is actively monitoring and patching Splunk Cloud Platform instances.

Product Status

Product

Version

Component

Affected Version

Fix Version

Splunk Enterprise

9.0

Splunk Web

9.0.0 to 9.0.6

9.0.7

Splunk Enterprise

9.1

Splunk Web

9.1.0 to 9.1.1

9.1.2

Splunk Cloud

-

Splunk Web

Versions below 9.1.2308

9.1.2308

Mitigations and Workarounds

If users do not log in to Splunk Web on indexers in a distributed environment, disable Splunk Web on those indexers. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file in the Splunk documentation for more information on disabling Splunk Web.
Do not use the “Show syntax highlighted” feature in the Search page on imported log files whose origins you are not familiar with.

Detections

None

Severity

Splunk rates this vulnerability a 4.8, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

If the Splunk Enterprise instance does not run Splunk Web, it is not affected and this vulnerability can be considered Informational.

Acknowledgments

Joshua Neubecker