Search criteria
249 vulnerabilities found for splunk_cloud_platform by splunk
CVE-2025-20388 (GCVE-0-2025-20388)
Vulnerability from nvd – Published: 2025-12-03 17:00 – Updated: 2025-12-03 18:14
VLAI?
Summary
In Splunk Enterprise versions below 10.0.1, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.4, 10.0.2503.7, and 9.3.2411.116, a user who holds a role that contains the high privilege capability `change_authentication` could enumerate internal IP addresses and network ports when adding new search peers to a Splunk search head in a distributed environment.
Severity ?
CWE
- CWE-918 - The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
10.0 , < 10.0.1
(custom)
Affected: 9.4 , < 9.4.6 (custom) Affected: 9.3 , < 9.3.8 (custom) Affected: 9.2 , < 9.2.10 (custom) |
|||||||
|
|||||||||
Credits
Mr Hack (try_to_hack) Santiago Lopez
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-20388",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-03T18:12:35.294523Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T18:14:46.236Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.0.1",
"status": "affected",
"version": "10.0",
"versionType": "custom"
},
{
"lessThan": "9.4.6",
"status": "affected",
"version": "9.4",
"versionType": "custom"
},
{
"lessThan": "9.3.8",
"status": "affected",
"version": "9.3",
"versionType": "custom"
},
{
"lessThan": "9.2.10",
"status": "affected",
"version": "9.2",
"versionType": "custom"
}
]
},
{
"product": "Splunk Cloud Platform",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.1.2507.4",
"status": "affected",
"version": "10.1.2507",
"versionType": "custom"
},
{
"lessThan": "10.0.2503.6",
"status": "affected",
"version": "10.0.2503",
"versionType": "custom"
},
{
"lessThan": "9.3.2411.116",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Mr Hack (try_to_hack) Santiago Lopez"
}
],
"datePublic": "2025-12-03T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 10.0.1, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.4, 10.0.2503.7, and 9.3.2411.116, a user who holds a role that contains the high privilege capability `change_authentication` could enumerate internal IP addresses and network ports when adding new search peers to a Splunk search head in a distributed environment."
}
],
"value": "In Splunk Enterprise versions below 10.0.1, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.4, 10.0.2503.7, and 9.3.2411.116, a user who holds a role that contains the high privilege capability `change_authentication` could enumerate internal IP addresses and network ports when adding new search peers to a Splunk search head in a distributed environment."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 2.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T17:00:59.450Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2025-1207"
}
],
"source": {
"advisory": "SVD-2025-1207"
},
"title": "Blind Server Side Request Forgery (SSRF) through Distributed Search Peers in Splunk Enterprise"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2025-20388",
"datePublished": "2025-12-03T17:00:59.450Z",
"dateReserved": "2024-10-10T19:15:13.265Z",
"dateUpdated": "2025-12-03T18:14:46.236Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-20389 (GCVE-0-2025-20389)
Vulnerability from nvd – Published: 2025-12-03 17:00 – Updated: 2025-12-03 21:37
VLAI?
Summary
In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and versions below 3.9.10, 3.8.58 and 3.7.28 of the Splunk Secure Gateway app on Splunk Cloud Platform, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a malicious payload through the `label` column field after adding a new device in the Splunk Secure Gateway app. This could potentially lead to a client-side denial of service (DoS).
Severity ?
4.3 (Medium)
CWE
- CWE-20 - The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.
Assigner
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
10.0 , < 10.0.2
(custom)
Affected: 9.4 , < 9.4.6 (custom) Affected: 9.3 , < 9.3.8 (custom) Affected: 9.2 , < 9.2.10 (custom) |
||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-20389",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-03T21:36:48.311013Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T21:37:01.207Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.0.2",
"status": "affected",
"version": "10.0",
"versionType": "custom"
},
{
"lessThan": "9.4.6",
"status": "affected",
"version": "9.4",
"versionType": "custom"
},
{
"lessThan": "9.3.8",
"status": "affected",
"version": "9.3",
"versionType": "custom"
},
{
"lessThan": "9.2.10",
"status": "affected",
"version": "9.2",
"versionType": "custom"
}
]
},
{
"product": "Splunk Cloud Platform",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.1.2507.6",
"status": "affected",
"version": "10.1.2507",
"versionType": "custom"
},
{
"lessThan": "10.0.2503.8",
"status": "affected",
"version": "10.0.2503",
"versionType": "custom"
},
{
"lessThan": "9.3.2411.120",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
}
]
},
{
"product": "Splunk Secure Gateway",
"vendor": "Splunk",
"versions": [
{
"lessThan": "3.9.10",
"status": "affected",
"version": "3.9",
"versionType": "custom"
},
{
"lessThan": "3.8.58",
"status": "affected",
"version": "3.8",
"versionType": "custom"
},
{
"lessThan": "3.7.28",
"status": "affected",
"version": "3.7",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-12-03T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and versions below 3.9.10, 3.8.58 and 3.7.28 of the Splunk Secure Gateway app on Splunk Cloud Platform, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could craft a malicious payload through the `label` column field after adding a new device in the Splunk Secure Gateway app. This could potentially lead to a client-side denial of service (DoS)."
}
],
"value": "In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and versions below 3.9.10, 3.8.58 and 3.7.28 of the Splunk Secure Gateway app on Splunk Cloud Platform, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could craft a malicious payload through the `label` column field after adding a new device in the Splunk Secure Gateway app. This could potentially lead to a client-side denial of service (DoS)."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T17:00:55.364Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2025-1208"
}
],
"source": {
"advisory": "SVD-2025-1208"
},
"title": "Improper Input Validation in \"label\" column field in Splunk Secure Gateway App"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2025-20389",
"datePublished": "2025-12-03T17:00:55.364Z",
"dateReserved": "2024-10-10T19:15:13.266Z",
"dateUpdated": "2025-12-03T21:37:01.207Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-20384 (GCVE-0-2025-20384)
Vulnerability from nvd – Published: 2025-12-03 17:00 – Updated: 2025-12-03 21:32
VLAI?
Summary
In Splunk Enterprise versions below 10.0.1, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.4, 10.0.2503.6, and 9.3.2411.117.125, an unauthenticated attacker can inject American National Standards Institute (ANSI) escape codes into Splunk log files due to improper validation at the /en-US/static/ web endpoint. This may allow them to poison, forge, or obfuscate sensitive log data through specially crafted HTTP requests, potentially impacting log integrity and detection capabilities.
Severity ?
5.3 (Medium)
CWE
- CWE-117 - The software does not neutralize or incorrectly neutralizes output that is written to logs.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
10.0 , < 10.0.1
(custom)
Affected: 9.4 , < 9.4.6 (custom) Affected: 9.3 , < 9.3.8 (custom) Affected: 9.2 , < 9.2.10 (custom) |
|||||||
|
|||||||||
Credits
STÖK / Fredrik Alexandersson
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-20384",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-03T21:32:13.797275Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T21:32:24.714Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.0.1",
"status": "affected",
"version": "10.0",
"versionType": "custom"
},
{
"lessThan": "9.4.6",
"status": "affected",
"version": "9.4",
"versionType": "custom"
},
{
"lessThan": "9.3.8",
"status": "affected",
"version": "9.3",
"versionType": "custom"
},
{
"lessThan": "9.2.10",
"status": "affected",
"version": "9.2",
"versionType": "custom"
}
]
},
{
"product": "Splunk Cloud Platform",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.1.2507.4",
"status": "affected",
"version": "10.1.2507",
"versionType": "custom"
},
{
"lessThan": "10.0.2503.6",
"status": "affected",
"version": "10.0.2503",
"versionType": "custom"
},
{
"lessThan": "9.3.2411.117",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "ST\u00d6K / Fredrik Alexandersson"
}
],
"datePublic": "2025-12-03T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 10.0.1, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.4, 10.0.2503.6, and 9.3.2411.117.125, an unauthenticated attacker can inject American National Standards Institute (ANSI) escape codes into Splunk log files due to improper validation at the /en-US/static/ web endpoint. This may allow them to poison, forge, or obfuscate sensitive log data through specially crafted HTTP requests, potentially impacting log integrity and detection capabilities."
}
],
"value": "In Splunk Enterprise versions below 10.0.1, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.4, 10.0.2503.6, and 9.3.2411.117.125, an unauthenticated attacker can inject American National Standards Institute (ANSI) escape codes into Splunk log files due to improper validation at the /en-US/static/ web endpoint. This may allow them to poison, forge, or obfuscate sensitive log data through specially crafted HTTP requests, potentially impacting log integrity and detection capabilities."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-117",
"description": "The software does not neutralize or incorrectly neutralizes output that is written to logs.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T17:00:34.212Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2025-1203"
}
],
"source": {
"advisory": "SVD-2025-1203"
},
"title": "Unauthenticated Log Injection in Splunk Enterprise"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2025-20384",
"datePublished": "2025-12-03T17:00:34.212Z",
"dateReserved": "2024-10-10T19:15:13.264Z",
"dateUpdated": "2025-12-03T21:32:24.714Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-20385 (GCVE-0-2025-20385)
Vulnerability from nvd – Published: 2025-12-03 17:00 – Updated: 2025-12-03 21:30
VLAI?
Summary
In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.6, 10.0.2503.7, and 9.3.2411.117, a user who holds a role with a high privilege capability `admin_all_objects` could craft a malicious payload through the href attribute of an anchor tag within a collection in the navigation bar, which could result in execution of unauthorized JavaScript code in the browser of a user.
Severity ?
CWE
- CWE-79 - The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
10.0 , < 10.0.2
(custom)
Affected: 9.4 , < 9.4.6 (custom) Affected: 9.3 , < 9.3.8 (custom) Affected: 9.2 , < 9.2.10 (custom) |
|||||||
|
|||||||||
Credits
Dr. Oliver Matula, DB Systel GmbH
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-20385",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-03T21:30:29.194337Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T21:30:42.532Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.0.2",
"status": "affected",
"version": "10.0",
"versionType": "custom"
},
{
"lessThan": "9.4.6",
"status": "affected",
"version": "9.4",
"versionType": "custom"
},
{
"lessThan": "9.3.8",
"status": "affected",
"version": "9.3",
"versionType": "custom"
},
{
"lessThan": "9.2.10",
"status": "affected",
"version": "9.2",
"versionType": "custom"
}
]
},
{
"product": "Splunk Cloud Platform",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.1.2507.6",
"status": "affected",
"version": "10.1.2507",
"versionType": "custom"
},
{
"lessThan": "10.0.2503.7",
"status": "affected",
"version": "10.0.2503",
"versionType": "custom"
},
{
"lessThan": "9.3.2411.117",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Dr. Oliver Matula, DB Systel GmbH"
}
],
"datePublic": "2025-12-03T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.6, 10.0.2503.7, and 9.3.2411.117, a user who holds a role with a high privilege capability `admin_all_objects` could craft a malicious payload through the href attribute of an anchor tag within a collection in the navigation bar, which could result in execution of unauthorized JavaScript code in the browser of a user."
}
],
"value": "In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.6, 10.0.2503.7, and 9.3.2411.117, a user who holds a role with a high privilege capability `admin_all_objects` could craft a malicious payload through the href attribute of an anchor tag within a collection in the navigation bar, which could result in execution of unauthorized JavaScript code in the browser of a user."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 2.4,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T17:00:29.826Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2025-1204"
}
],
"source": {
"advisory": "SVD-2025-1204"
},
"title": "Stored Cross-Site scripting (XSS) through Anchor Tag \"href\" in Navigation Bar Collections in Splunk Enterprise"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2025-20385",
"datePublished": "2025-12-03T17:00:29.826Z",
"dateReserved": "2024-10-10T19:15:13.265Z",
"dateUpdated": "2025-12-03T21:30:42.532Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-20382 (GCVE-0-2025-20382)
Vulnerability from nvd – Published: 2025-12-03 17:00 – Updated: 2025-12-03 21:28
VLAI?
Summary
In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.10, 10.0.2503.8, and 9.3.2411.120, a low-privileged user that does not hold the "admin" or "power" Splunk roles could create a views dashboard with a custom background using the `data:image/png;base64` protocol that could potentially lead to an unvalidated redirect. This behavior circumvents the Splunk external URL warning mechanism by using a specially crafted URL, allowing for a redirection to an external malicious site. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will.
Severity ?
CWE
- CWE-601 - A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
10.0 , < 10.0.2
(custom)
Affected: 9.4 , < 9.4.6 (custom) Affected: 9.3 , < 9.3.8 (custom) Affected: 9.2 , < 9.2.10 (custom) |
|||||||
|
|||||||||
Credits
Anton (therceman)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-20382",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-03T21:28:22.162687Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T21:28:38.682Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.0.2",
"status": "affected",
"version": "10.0",
"versionType": "custom"
},
{
"lessThan": "9.4.6",
"status": "affected",
"version": "9.4",
"versionType": "custom"
},
{
"lessThan": "9.3.8",
"status": "affected",
"version": "9.3",
"versionType": "custom"
},
{
"lessThan": "9.2.10",
"status": "affected",
"version": "9.2",
"versionType": "custom"
}
]
},
{
"product": "Splunk Cloud Platform",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.1.2507.10",
"status": "affected",
"version": "10.1.2507",
"versionType": "custom"
},
{
"lessThan": "10.0.2503.8",
"status": "affected",
"version": "10.0.2503",
"versionType": "custom"
},
{
"lessThan": "9.3.2411.120",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Anton (therceman)"
}
],
"datePublic": "2025-12-03T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.10, 10.0.2503.8, and 9.3.2411.120, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could create a views dashboard with a custom background using the `data:image/png;base64` protocol that could potentially lead to an unvalidated redirect. This behavior circumvents the Splunk external URL warning mechanism by using a specially crafted URL, allowing for a redirection to an external malicious site. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will."
}
],
"value": "In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.10, 10.0.2503.8, and 9.3.2411.120, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could create a views dashboard with a custom background using the `data:image/png;base64` protocol that could potentially lead to an unvalidated redirect. This behavior circumvents the Splunk external URL warning mechanism by using a specially crafted URL, allowing for a redirection to an external malicious site. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T17:00:21.824Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2025-1201"
}
],
"source": {
"advisory": "SVD-2025-1201"
},
"title": "URL validation bypass through Views Dashboard in Splunk Enterprise"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2025-20382",
"datePublished": "2025-12-03T17:00:21.824Z",
"dateReserved": "2024-10-10T19:15:13.264Z",
"dateUpdated": "2025-12-03T21:28:38.682Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-20383 (GCVE-0-2025-20383)
Vulnerability from nvd – Published: 2025-12-03 17:00 – Updated: 2025-12-03 21:33
VLAI?
Summary
In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and below 3.9.10, 3.8.58, and 3.7.28 of Splunk Secure Gateway app in Splunk Cloud Platform, a low-privileged user that does not hold the "admin" or "power" Splunk roles and subscribes to mobile push notifications could receive notifications that disclose the title and description of the report or alert even if they do not have access to view the report or alert.
Severity ?
4.3 (Medium)
CWE
- CWE-200 - The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Assigner
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
10.0 , < 10.0.2
(custom)
Affected: 9.4 , < 9.4.6 (custom) Affected: 9.3 , < 9.3.8 (custom) Affected: 9.2 , < 9.2.10 (custom) |
||||||||||||
|
||||||||||||||
Credits
Anton (therceman)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-20383",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-03T21:33:01.823595Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T21:33:17.908Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.0.2",
"status": "affected",
"version": "10.0",
"versionType": "custom"
},
{
"lessThan": "9.4.6",
"status": "affected",
"version": "9.4",
"versionType": "custom"
},
{
"lessThan": "9.3.8",
"status": "affected",
"version": "9.3",
"versionType": "custom"
},
{
"lessThan": "9.2.10",
"status": "affected",
"version": "9.2",
"versionType": "custom"
}
]
},
{
"product": "Splunk Cloud Platform",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.1.2507.6",
"status": "affected",
"version": "10.1.2507",
"versionType": "custom"
},
{
"lessThan": "10.0.2503.8",
"status": "affected",
"version": "10.0.2503",
"versionType": "custom"
},
{
"lessThan": "9.3.2411.120",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
}
]
},
{
"product": "Splunk Secure Gateway",
"vendor": "Splunk",
"versions": [
{
"lessThan": "3.9.10",
"status": "affected",
"version": "3.9",
"versionType": "custom"
},
{
"lessThan": "3.8.58",
"status": "affected",
"version": "3.8",
"versionType": "custom"
},
{
"lessThan": "3.7.28",
"status": "affected",
"version": "3.7",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Anton (therceman)"
}
],
"datePublic": "2025-12-03T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and below 3.9.10, 3.8.58, and 3.7.28 of Splunk Secure Gateway app in Splunk Cloud Platform, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles and subscribes to mobile push notifications could receive notifications that disclose the title and description of the report or alert even if they do not have access to view the report or alert."
}
],
"value": "In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and below 3.9.10, 3.8.58, and 3.7.28 of Splunk Secure Gateway app in Splunk Cloud Platform, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles and subscribes to mobile push notifications could receive notifications that disclose the title and description of the report or alert even if they do not have access to view the report or alert."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T17:00:36.414Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2025-1202"
}
],
"source": {
"advisory": "SVD-2025-1202"
},
"title": "Improper access control through push notifications for reports and alerts in Splunk Secure Gateway app"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2025-20383",
"datePublished": "2025-12-03T17:00:36.414Z",
"dateReserved": "2024-10-10T19:15:13.264Z",
"dateUpdated": "2025-12-03T21:33:17.908Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-20379 (GCVE-0-2025-20379)
Vulnerability from nvd – Published: 2025-11-12 17:23 – Updated: 2025-11-12 21:04
VLAI?
Summary
In Splunk Enterprise versions below 10.0.1, 9.4.5, 9.3.7, and 9.2.9 and Splunk Cloud Platform versions below 9.3.2411.116, 9.3.2408.124, 10.0.2503.5 and 10.1.2507.1, a low-privileged user that does not hold the “admin“ or “power“ Splunk roles could run a saved search with a risky command using the permissions of a higher-privileged user to bypass the SPL safeguards for risky commands. They could bypass these safeguards on the “/services/streams/search“ endpoint through its “q“ parameter by circumventing endpoint restrictions using character encoding in the REST path. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will.
Severity ?
CWE
- CWE-200 - The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
10.0 , < 10.0.1
(custom)
Affected: 9.4 , < 9.4.5 (custom) Affected: 9.3 , < 9.3.7 (custom) Affected: 9.2 , < 9.2.9 (custom) |
|||||||
|
|||||||||
Credits
Anton (therceman)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-20379",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-12T20:47:25.092580Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T21:04:40.810Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.0.1",
"status": "affected",
"version": "10.0",
"versionType": "custom"
},
{
"lessThan": "9.4.5",
"status": "affected",
"version": "9.4",
"versionType": "custom"
},
{
"lessThan": "9.3.7",
"status": "affected",
"version": "9.3",
"versionType": "custom"
},
{
"lessThan": "9.2.9",
"status": "affected",
"version": "9.2",
"versionType": "custom"
}
]
},
{
"product": "Splunk Cloud Platform",
"vendor": "Splunk",
"versions": [
{
"lessThan": "9.3.2411.116",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
},
{
"lessThan": "9.3.2408.124",
"status": "affected",
"version": "9.3.2408",
"versionType": "custom"
},
{
"lessThan": "10.0.2503.5",
"status": "affected",
"version": "10.0.2503",
"versionType": "custom"
},
{
"lessThan": "10.1.2507.1",
"status": "affected",
"version": "10.1.2507",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Anton (therceman)"
}
],
"datePublic": "2025-11-12T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 10.0.1, 9.4.5, 9.3.7, and 9.2.9 and Splunk Cloud Platform versions below 9.3.2411.116, 9.3.2408.124, 10.0.2503.5 and 10.1.2507.1, a low-privileged user that does not hold the \u201cadmin\u201c or \u201cpower\u201c Splunk roles could run a saved search with a risky command using the permissions of a higher-privileged user to bypass the SPL safeguards for risky commands. They could bypass these safeguards on the \u201c/services/streams/search\u201c endpoint through its \u201cq\u201c parameter by circumventing endpoint restrictions using character encoding in the REST path. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will."
}
],
"value": "In Splunk Enterprise versions below 10.0.1, 9.4.5, 9.3.7, and 9.2.9 and Splunk Cloud Platform versions below 9.3.2411.116, 9.3.2408.124, 10.0.2503.5 and 10.1.2507.1, a low-privileged user that does not hold the \u201cadmin\u201c or \u201cpower\u201c Splunk roles could run a saved search with a risky command using the permissions of a higher-privileged user to bypass the SPL safeguards for risky commands. They could bypass these safeguards on the \u201c/services/streams/search\u201c endpoint through its \u201cq\u201c parameter by circumventing endpoint restrictions using character encoding in the REST path. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T17:23:00.819Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2025-1102"
}
],
"source": {
"advisory": "SVD-2025-1102"
},
"title": "Risky command safeguards bypass using the \u201c/services/streams/search\u201c REST endpoint through \u201cq\u201c parameter in Splunk Enterprise"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2025-20379",
"datePublished": "2025-11-12T17:23:00.819Z",
"dateReserved": "2024-10-10T19:15:13.263Z",
"dateUpdated": "2025-11-12T21:04:40.810Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-20378 (GCVE-0-2025-20378)
Vulnerability from nvd – Published: 2025-11-12 17:22 – Updated: 2025-11-12 21:04
VLAI?
Summary
In Splunk Enterprise versions below 10.0.1, 9.4.5, 9.3.7, 9.2.9, and Splunk Cloud Platform versions below 10.0.2503.5, 9.3.2411.111, and 9.3.2408.121, an unauthenticated attacker could craft a malicious URL using the `return_to` parameter of the Splunk Web login endpoint. When an authenticated user visits the malicious URL, it could cause an unvalidated redirect to an external malicious site. To be successful, the attacker has to trick the victim into initiating a request from their browser. The unauthenticated attacker should not be able to exploit the vulnerability at will.
Severity ?
CWE
- CWE-601 - A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
10.0 , < 10.0.1
(custom)
Affected: 9.4 , < 9.4.5 (custom) Affected: 9.3 , < 9.3.7 (custom) Affected: 9.2 , < 9.2.9 (custom) |
|||||||
|
|||||||||
Credits
Diogo Real (c0rte)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-20378",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-12T20:47:32.175559Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T21:04:48.103Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.0.1",
"status": "affected",
"version": "10.0",
"versionType": "custom"
},
{
"lessThan": "9.4.5",
"status": "affected",
"version": "9.4",
"versionType": "custom"
},
{
"lessThan": "9.3.7",
"status": "affected",
"version": "9.3",
"versionType": "custom"
},
{
"lessThan": "9.2.9",
"status": "affected",
"version": "9.2",
"versionType": "custom"
}
]
},
{
"product": "Splunk Cloud Platform",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.0.2503.5",
"status": "affected",
"version": "10.0.2503",
"versionType": "custom"
},
{
"lessThan": "9.3.2411.111",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
},
{
"lessThan": "9.3.2408.121",
"status": "affected",
"version": "9.3.2408",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Diogo Real (c0rte)"
}
],
"datePublic": "2025-11-12T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 10.0.1, 9.4.5, 9.3.7, 9.2.9, and Splunk Cloud Platform versions below 10.0.2503.5, 9.3.2411.111, and 9.3.2408.121, an unauthenticated attacker could craft a malicious URL using the `return_to` parameter of the Splunk Web login endpoint. When an authenticated user visits the malicious URL, it could cause an unvalidated redirect to an external malicious site. To be successful, the attacker has to trick the victim into initiating a request from their browser. The unauthenticated attacker should not be able to exploit the vulnerability at will."
}
],
"value": "In Splunk Enterprise versions below 10.0.1, 9.4.5, 9.3.7, 9.2.9, and Splunk Cloud Platform versions below 10.0.2503.5, 9.3.2411.111, and 9.3.2408.121, an unauthenticated attacker could craft a malicious URL using the `return_to` parameter of the Splunk Web login endpoint. When an authenticated user visits the malicious URL, it could cause an unvalidated redirect to an external malicious site. To be successful, the attacker has to trick the victim into initiating a request from their browser. The unauthenticated attacker should not be able to exploit the vulnerability at will."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T17:22:56.630Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2025-1101"
}
],
"source": {
"advisory": "SVD-2025-1101"
},
"title": "Open Redirect on Web Login endpoint in Splunk Enterprise"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2025-20378",
"datePublished": "2025-11-12T17:22:56.630Z",
"dateReserved": "2024-10-10T19:15:13.263Z",
"dateUpdated": "2025-11-12T21:04:48.103Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-20368 (GCVE-0-2025-20368)
Vulnerability from nvd – Published: 2025-10-01 16:08 – Updated: 2025-10-01 17:35
VLAI?
Summary
In Splunk Enterprise versions below 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.108, 9.3.2408.118 and 9.2.2406.123, a low privileged user that does not hold the admin or power Splunk roles could craft a malicious payload through the error messages and job inspection details of a saved search. This could result in execution of unauthorized JavaScript code in the browser of a user.
Severity ?
5.7 (Medium)
CWE
- CWE-79 - The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
10.0 , < 10.0.0
(custom)
Affected: 9.4 , < 9.4.4 (custom) Affected: 9.3 , < 9.3.6 (custom) Affected: 9.2 , < 9.2.8 (custom) |
|||||||
|
|||||||||
Credits
Danylo Dmytriiev (DDV_UA)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-20368",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T17:22:31.984073Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T17:35:52.651Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.0.0",
"status": "affected",
"version": "10.0",
"versionType": "custom"
},
{
"lessThan": "9.4.4",
"status": "affected",
"version": "9.4",
"versionType": "custom"
},
{
"lessThan": "9.3.6",
"status": "affected",
"version": "9.3",
"versionType": "custom"
},
{
"lessThan": "9.2.8",
"status": "affected",
"version": "9.2",
"versionType": "custom"
}
]
},
{
"product": "Splunk Cloud Platform",
"vendor": "Splunk",
"versions": [
{
"lessThan": "9.3.2411.108",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
},
{
"lessThan": "9.3.2408.118",
"status": "affected",
"version": "9.3.2408",
"versionType": "custom"
},
{
"lessThan": "9.2.2406.123",
"status": "affected",
"version": "9.2.2406",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Danylo Dmytriiev (DDV_UA)"
}
],
"datePublic": "2025-10-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.108, 9.3.2408.118 and 9.2.2406.123, a low privileged user that does not hold the admin or power Splunk roles could craft a malicious payload through the error messages and job inspection details of a saved search. This could result in execution of unauthorized JavaScript code in the browser of a user."
}
],
"value": "In Splunk Enterprise versions below 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.108, 9.3.2408.118 and 9.2.2406.123, a low privileged user that does not hold the admin or power Splunk roles could craft a malicious payload through the error messages and job inspection details of a saved search. This could result in execution of unauthorized JavaScript code in the browser of a user."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T16:08:04.403Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2025-1003"
}
],
"source": {
"advisory": "SVD-2025-1003"
},
"title": "Stored Cross-Site Scripting (XSS) through missing field warning messages in Saved Search and Job Inspector on Splunk Enterprise"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2025-20368",
"datePublished": "2025-10-01T16:08:04.403Z",
"dateReserved": "2024-10-10T19:15:13.261Z",
"dateUpdated": "2025-10-01T17:35:52.651Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-20371 (GCVE-0-2025-20371)
Vulnerability from nvd – Published: 2025-10-01 16:08 – Updated: 2025-10-02 03:55
VLAI?
Summary
In Splunk Enterprise versions below 10.0.1, 9.4.4, 9.3.6 and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.109, 9.3.2408.119 and 9.2.2406.122, an unauthenticated attacker could trigger a blind server-side request forgery (SSRF) potentially letting an attacker perform REST API calls on behalf of an authenticated high-privileged user.
Severity ?
7.5 (High)
CWE
- CWE-918 - The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
10.0 , < 10.0.1
(custom)
Affected: 9.4 , < 9.4.4 (custom) Affected: 9.3 , < 9.3.6 (custom) Affected: 9.2 , < 9.2.8 (custom) |
|||||||
|
|||||||||
Credits
Alex Hordijk (hordalex)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-20371",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T03:55:47.543Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.0.1",
"status": "affected",
"version": "10.0",
"versionType": "custom"
},
{
"lessThan": "9.4.4",
"status": "affected",
"version": "9.4",
"versionType": "custom"
},
{
"lessThan": "9.3.6",
"status": "affected",
"version": "9.3",
"versionType": "custom"
},
{
"lessThan": "9.2.8",
"status": "affected",
"version": "9.2",
"versionType": "custom"
}
]
},
{
"product": "Splunk Cloud Platform",
"vendor": "Splunk",
"versions": [
{
"lessThan": "9.3.2411.109",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
},
{
"lessThan": "9.3.2408.119",
"status": "affected",
"version": "9.3.2408",
"versionType": "custom"
},
{
"lessThan": "9.2.2406.122",
"status": "affected",
"version": "9.2.2406",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Alex Hordijk (hordalex)"
}
],
"datePublic": "2025-10-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 10.0.1, 9.4.4, 9.3.6 and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.109, 9.3.2408.119 and 9.2.2406.122, an unauthenticated attacker could trigger a blind server-side request forgery (SSRF) potentially letting an attacker perform REST API calls on behalf of an authenticated high-privileged user."
}
],
"value": "In Splunk Enterprise versions below 10.0.1, 9.4.4, 9.3.6 and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.109, 9.3.2408.119 and 9.2.2406.122, an unauthenticated attacker could trigger a blind server-side request forgery (SSRF) potentially letting an attacker perform REST API calls on behalf of an authenticated high-privileged user."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T16:08:02.891Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2025-1006"
}
],
"source": {
"advisory": "SVD-2025-1006"
},
"title": "Unauthenticated Blind Server Side Request Forgery (SSRF) in Splunk Enterprise"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2025-20371",
"datePublished": "2025-10-01T16:08:02.891Z",
"dateReserved": "2024-10-10T19:15:13.262Z",
"dateUpdated": "2025-10-02T03:55:47.543Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-20367 (GCVE-0-2025-20367)
Vulnerability from nvd – Published: 2025-10-01 16:08 – Updated: 2025-10-01 17:40
VLAI?
Summary
In Splunk Enterprise versions below 9.4.4, 9.3.6 and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.109, 9.3.2408.119 and 9.2.2406.122, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could craft a malicious payload through the `dataset.command` parameter of the `/app/search/table` endpoint, which could result in execution of unauthorized JavaScript code in the browser of a user.
Severity ?
5.7 (Medium)
CWE
- CWE-79 - The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
10.0 , < 10.0.0
(custom)
Affected: 9.4 , < 9.4.4 (custom) Affected: 9.3 , < 9.3.6 (custom) Affected: 9.2 , < 9.2.8 (custom) |
|||||||
|
|||||||||
Credits
Danylo Dmytriiev (DDV_UA)
Anudeep Gandla, Splunk
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-20367",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T17:19:40.128884Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T17:40:43.251Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.0.0",
"status": "affected",
"version": "10.0",
"versionType": "custom"
},
{
"lessThan": "9.4.4",
"status": "affected",
"version": "9.4",
"versionType": "custom"
},
{
"lessThan": "9.3.6",
"status": "affected",
"version": "9.3",
"versionType": "custom"
},
{
"lessThan": "9.2.8",
"status": "affected",
"version": "9.2",
"versionType": "custom"
}
]
},
{
"product": "Splunk Cloud Platform",
"vendor": "Splunk",
"versions": [
{
"lessThan": "9.3.2411.109",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
},
{
"lessThan": "9.3.2408.119",
"status": "affected",
"version": "9.3.2408",
"versionType": "custom"
},
{
"lessThan": "9.2.2406.122",
"status": "affected",
"version": "9.2.2406",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Danylo Dmytriiev (DDV_UA)"
},
{
"lang": "en",
"value": "Anudeep Gandla, Splunk"
}
],
"datePublic": "2025-10-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 9.4.4, 9.3.6 and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.109, 9.3.2408.119 and 9.2.2406.122, a low-privileged user that does not hold the \u0027admin\u0027 or \u0027power\u0027 Splunk roles could craft a malicious payload through the `dataset.command` parameter of the `/app/search/table` endpoint, which could result in execution of unauthorized JavaScript code in the browser of a user."
}
],
"value": "In Splunk Enterprise versions below 9.4.4, 9.3.6 and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.109, 9.3.2408.119 and 9.2.2406.122, a low-privileged user that does not hold the \u0027admin\u0027 or \u0027power\u0027 Splunk roles could craft a malicious payload through the `dataset.command` parameter of the `/app/search/table` endpoint, which could result in execution of unauthorized JavaScript code in the browser of a user."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T16:08:01.304Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2025-1002"
}
],
"source": {
"advisory": "SVD-2025-1002"
},
"title": "Reflected Cross-site Scripting (XSS) in \u0027/app/search/table\u0027 endpoint through the \u0027dataset.command\u0027 parameter on Splunk Enterprise"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2025-20367",
"datePublished": "2025-10-01T16:08:01.304Z",
"dateReserved": "2024-10-10T19:15:13.261Z",
"dateUpdated": "2025-10-01T17:40:43.251Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-20388 (GCVE-0-2025-20388)
Vulnerability from cvelistv5 – Published: 2025-12-03 17:00 – Updated: 2025-12-03 18:14
VLAI?
Summary
In Splunk Enterprise versions below 10.0.1, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.4, 10.0.2503.7, and 9.3.2411.116, a user who holds a role that contains the high privilege capability `change_authentication` could enumerate internal IP addresses and network ports when adding new search peers to a Splunk search head in a distributed environment.
Severity ?
CWE
- CWE-918 - The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
10.0 , < 10.0.1
(custom)
Affected: 9.4 , < 9.4.6 (custom) Affected: 9.3 , < 9.3.8 (custom) Affected: 9.2 , < 9.2.10 (custom) |
|||||||
|
|||||||||
Credits
Mr Hack (try_to_hack) Santiago Lopez
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-20388",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-03T18:12:35.294523Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T18:14:46.236Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.0.1",
"status": "affected",
"version": "10.0",
"versionType": "custom"
},
{
"lessThan": "9.4.6",
"status": "affected",
"version": "9.4",
"versionType": "custom"
},
{
"lessThan": "9.3.8",
"status": "affected",
"version": "9.3",
"versionType": "custom"
},
{
"lessThan": "9.2.10",
"status": "affected",
"version": "9.2",
"versionType": "custom"
}
]
},
{
"product": "Splunk Cloud Platform",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.1.2507.4",
"status": "affected",
"version": "10.1.2507",
"versionType": "custom"
},
{
"lessThan": "10.0.2503.6",
"status": "affected",
"version": "10.0.2503",
"versionType": "custom"
},
{
"lessThan": "9.3.2411.116",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Mr Hack (try_to_hack) Santiago Lopez"
}
],
"datePublic": "2025-12-03T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 10.0.1, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.4, 10.0.2503.7, and 9.3.2411.116, a user who holds a role that contains the high privilege capability `change_authentication` could enumerate internal IP addresses and network ports when adding new search peers to a Splunk search head in a distributed environment."
}
],
"value": "In Splunk Enterprise versions below 10.0.1, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.4, 10.0.2503.7, and 9.3.2411.116, a user who holds a role that contains the high privilege capability `change_authentication` could enumerate internal IP addresses and network ports when adding new search peers to a Splunk search head in a distributed environment."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 2.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T17:00:59.450Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2025-1207"
}
],
"source": {
"advisory": "SVD-2025-1207"
},
"title": "Blind Server Side Request Forgery (SSRF) through Distributed Search Peers in Splunk Enterprise"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2025-20388",
"datePublished": "2025-12-03T17:00:59.450Z",
"dateReserved": "2024-10-10T19:15:13.265Z",
"dateUpdated": "2025-12-03T18:14:46.236Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-20389 (GCVE-0-2025-20389)
Vulnerability from cvelistv5 – Published: 2025-12-03 17:00 – Updated: 2025-12-03 21:37
VLAI?
Summary
In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and versions below 3.9.10, 3.8.58 and 3.7.28 of the Splunk Secure Gateway app on Splunk Cloud Platform, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a malicious payload through the `label` column field after adding a new device in the Splunk Secure Gateway app. This could potentially lead to a client-side denial of service (DoS).
Severity ?
4.3 (Medium)
CWE
- CWE-20 - The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.
Assigner
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
10.0 , < 10.0.2
(custom)
Affected: 9.4 , < 9.4.6 (custom) Affected: 9.3 , < 9.3.8 (custom) Affected: 9.2 , < 9.2.10 (custom) |
||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-20389",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-03T21:36:48.311013Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T21:37:01.207Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.0.2",
"status": "affected",
"version": "10.0",
"versionType": "custom"
},
{
"lessThan": "9.4.6",
"status": "affected",
"version": "9.4",
"versionType": "custom"
},
{
"lessThan": "9.3.8",
"status": "affected",
"version": "9.3",
"versionType": "custom"
},
{
"lessThan": "9.2.10",
"status": "affected",
"version": "9.2",
"versionType": "custom"
}
]
},
{
"product": "Splunk Cloud Platform",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.1.2507.6",
"status": "affected",
"version": "10.1.2507",
"versionType": "custom"
},
{
"lessThan": "10.0.2503.8",
"status": "affected",
"version": "10.0.2503",
"versionType": "custom"
},
{
"lessThan": "9.3.2411.120",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
}
]
},
{
"product": "Splunk Secure Gateway",
"vendor": "Splunk",
"versions": [
{
"lessThan": "3.9.10",
"status": "affected",
"version": "3.9",
"versionType": "custom"
},
{
"lessThan": "3.8.58",
"status": "affected",
"version": "3.8",
"versionType": "custom"
},
{
"lessThan": "3.7.28",
"status": "affected",
"version": "3.7",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-12-03T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and versions below 3.9.10, 3.8.58 and 3.7.28 of the Splunk Secure Gateway app on Splunk Cloud Platform, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could craft a malicious payload through the `label` column field after adding a new device in the Splunk Secure Gateway app. This could potentially lead to a client-side denial of service (DoS)."
}
],
"value": "In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and versions below 3.9.10, 3.8.58 and 3.7.28 of the Splunk Secure Gateway app on Splunk Cloud Platform, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could craft a malicious payload through the `label` column field after adding a new device in the Splunk Secure Gateway app. This could potentially lead to a client-side denial of service (DoS)."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T17:00:55.364Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2025-1208"
}
],
"source": {
"advisory": "SVD-2025-1208"
},
"title": "Improper Input Validation in \"label\" column field in Splunk Secure Gateway App"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2025-20389",
"datePublished": "2025-12-03T17:00:55.364Z",
"dateReserved": "2024-10-10T19:15:13.266Z",
"dateUpdated": "2025-12-03T21:37:01.207Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-20383 (GCVE-0-2025-20383)
Vulnerability from cvelistv5 – Published: 2025-12-03 17:00 – Updated: 2025-12-03 21:33
VLAI?
Summary
In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and below 3.9.10, 3.8.58, and 3.7.28 of Splunk Secure Gateway app in Splunk Cloud Platform, a low-privileged user that does not hold the "admin" or "power" Splunk roles and subscribes to mobile push notifications could receive notifications that disclose the title and description of the report or alert even if they do not have access to view the report or alert.
Severity ?
4.3 (Medium)
CWE
- CWE-200 - The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Assigner
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
10.0 , < 10.0.2
(custom)
Affected: 9.4 , < 9.4.6 (custom) Affected: 9.3 , < 9.3.8 (custom) Affected: 9.2 , < 9.2.10 (custom) |
||||||||||||
|
||||||||||||||
Credits
Anton (therceman)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-20383",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-03T21:33:01.823595Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T21:33:17.908Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.0.2",
"status": "affected",
"version": "10.0",
"versionType": "custom"
},
{
"lessThan": "9.4.6",
"status": "affected",
"version": "9.4",
"versionType": "custom"
},
{
"lessThan": "9.3.8",
"status": "affected",
"version": "9.3",
"versionType": "custom"
},
{
"lessThan": "9.2.10",
"status": "affected",
"version": "9.2",
"versionType": "custom"
}
]
},
{
"product": "Splunk Cloud Platform",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.1.2507.6",
"status": "affected",
"version": "10.1.2507",
"versionType": "custom"
},
{
"lessThan": "10.0.2503.8",
"status": "affected",
"version": "10.0.2503",
"versionType": "custom"
},
{
"lessThan": "9.3.2411.120",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
}
]
},
{
"product": "Splunk Secure Gateway",
"vendor": "Splunk",
"versions": [
{
"lessThan": "3.9.10",
"status": "affected",
"version": "3.9",
"versionType": "custom"
},
{
"lessThan": "3.8.58",
"status": "affected",
"version": "3.8",
"versionType": "custom"
},
{
"lessThan": "3.7.28",
"status": "affected",
"version": "3.7",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Anton (therceman)"
}
],
"datePublic": "2025-12-03T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and below 3.9.10, 3.8.58, and 3.7.28 of Splunk Secure Gateway app in Splunk Cloud Platform, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles and subscribes to mobile push notifications could receive notifications that disclose the title and description of the report or alert even if they do not have access to view the report or alert."
}
],
"value": "In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and below 3.9.10, 3.8.58, and 3.7.28 of Splunk Secure Gateway app in Splunk Cloud Platform, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles and subscribes to mobile push notifications could receive notifications that disclose the title and description of the report or alert even if they do not have access to view the report or alert."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T17:00:36.414Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2025-1202"
}
],
"source": {
"advisory": "SVD-2025-1202"
},
"title": "Improper access control through push notifications for reports and alerts in Splunk Secure Gateway app"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2025-20383",
"datePublished": "2025-12-03T17:00:36.414Z",
"dateReserved": "2024-10-10T19:15:13.264Z",
"dateUpdated": "2025-12-03T21:33:17.908Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-20384 (GCVE-0-2025-20384)
Vulnerability from cvelistv5 – Published: 2025-12-03 17:00 – Updated: 2025-12-03 21:32
VLAI?
Summary
In Splunk Enterprise versions below 10.0.1, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.4, 10.0.2503.6, and 9.3.2411.117.125, an unauthenticated attacker can inject American National Standards Institute (ANSI) escape codes into Splunk log files due to improper validation at the /en-US/static/ web endpoint. This may allow them to poison, forge, or obfuscate sensitive log data through specially crafted HTTP requests, potentially impacting log integrity and detection capabilities.
Severity ?
5.3 (Medium)
CWE
- CWE-117 - The software does not neutralize or incorrectly neutralizes output that is written to logs.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
10.0 , < 10.0.1
(custom)
Affected: 9.4 , < 9.4.6 (custom) Affected: 9.3 , < 9.3.8 (custom) Affected: 9.2 , < 9.2.10 (custom) |
|||||||
|
|||||||||
Credits
STÖK / Fredrik Alexandersson
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-20384",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-03T21:32:13.797275Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T21:32:24.714Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.0.1",
"status": "affected",
"version": "10.0",
"versionType": "custom"
},
{
"lessThan": "9.4.6",
"status": "affected",
"version": "9.4",
"versionType": "custom"
},
{
"lessThan": "9.3.8",
"status": "affected",
"version": "9.3",
"versionType": "custom"
},
{
"lessThan": "9.2.10",
"status": "affected",
"version": "9.2",
"versionType": "custom"
}
]
},
{
"product": "Splunk Cloud Platform",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.1.2507.4",
"status": "affected",
"version": "10.1.2507",
"versionType": "custom"
},
{
"lessThan": "10.0.2503.6",
"status": "affected",
"version": "10.0.2503",
"versionType": "custom"
},
{
"lessThan": "9.3.2411.117",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "ST\u00d6K / Fredrik Alexandersson"
}
],
"datePublic": "2025-12-03T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 10.0.1, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.4, 10.0.2503.6, and 9.3.2411.117.125, an unauthenticated attacker can inject American National Standards Institute (ANSI) escape codes into Splunk log files due to improper validation at the /en-US/static/ web endpoint. This may allow them to poison, forge, or obfuscate sensitive log data through specially crafted HTTP requests, potentially impacting log integrity and detection capabilities."
}
],
"value": "In Splunk Enterprise versions below 10.0.1, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.4, 10.0.2503.6, and 9.3.2411.117.125, an unauthenticated attacker can inject American National Standards Institute (ANSI) escape codes into Splunk log files due to improper validation at the /en-US/static/ web endpoint. This may allow them to poison, forge, or obfuscate sensitive log data through specially crafted HTTP requests, potentially impacting log integrity and detection capabilities."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-117",
"description": "The software does not neutralize or incorrectly neutralizes output that is written to logs.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T17:00:34.212Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2025-1203"
}
],
"source": {
"advisory": "SVD-2025-1203"
},
"title": "Unauthenticated Log Injection in Splunk Enterprise"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2025-20384",
"datePublished": "2025-12-03T17:00:34.212Z",
"dateReserved": "2024-10-10T19:15:13.264Z",
"dateUpdated": "2025-12-03T21:32:24.714Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-20385 (GCVE-0-2025-20385)
Vulnerability from cvelistv5 – Published: 2025-12-03 17:00 – Updated: 2025-12-03 21:30
VLAI?
Summary
In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.6, 10.0.2503.7, and 9.3.2411.117, a user who holds a role with a high privilege capability `admin_all_objects` could craft a malicious payload through the href attribute of an anchor tag within a collection in the navigation bar, which could result in execution of unauthorized JavaScript code in the browser of a user.
Severity ?
CWE
- CWE-79 - The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
10.0 , < 10.0.2
(custom)
Affected: 9.4 , < 9.4.6 (custom) Affected: 9.3 , < 9.3.8 (custom) Affected: 9.2 , < 9.2.10 (custom) |
|||||||
|
|||||||||
Credits
Dr. Oliver Matula, DB Systel GmbH
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-20385",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-03T21:30:29.194337Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T21:30:42.532Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.0.2",
"status": "affected",
"version": "10.0",
"versionType": "custom"
},
{
"lessThan": "9.4.6",
"status": "affected",
"version": "9.4",
"versionType": "custom"
},
{
"lessThan": "9.3.8",
"status": "affected",
"version": "9.3",
"versionType": "custom"
},
{
"lessThan": "9.2.10",
"status": "affected",
"version": "9.2",
"versionType": "custom"
}
]
},
{
"product": "Splunk Cloud Platform",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.1.2507.6",
"status": "affected",
"version": "10.1.2507",
"versionType": "custom"
},
{
"lessThan": "10.0.2503.7",
"status": "affected",
"version": "10.0.2503",
"versionType": "custom"
},
{
"lessThan": "9.3.2411.117",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Dr. Oliver Matula, DB Systel GmbH"
}
],
"datePublic": "2025-12-03T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.6, 10.0.2503.7, and 9.3.2411.117, a user who holds a role with a high privilege capability `admin_all_objects` could craft a malicious payload through the href attribute of an anchor tag within a collection in the navigation bar, which could result in execution of unauthorized JavaScript code in the browser of a user."
}
],
"value": "In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.6, 10.0.2503.7, and 9.3.2411.117, a user who holds a role with a high privilege capability `admin_all_objects` could craft a malicious payload through the href attribute of an anchor tag within a collection in the navigation bar, which could result in execution of unauthorized JavaScript code in the browser of a user."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 2.4,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T17:00:29.826Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2025-1204"
}
],
"source": {
"advisory": "SVD-2025-1204"
},
"title": "Stored Cross-Site scripting (XSS) through Anchor Tag \"href\" in Navigation Bar Collections in Splunk Enterprise"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2025-20385",
"datePublished": "2025-12-03T17:00:29.826Z",
"dateReserved": "2024-10-10T19:15:13.265Z",
"dateUpdated": "2025-12-03T21:30:42.532Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-20382 (GCVE-0-2025-20382)
Vulnerability from cvelistv5 – Published: 2025-12-03 17:00 – Updated: 2025-12-03 21:28
VLAI?
Summary
In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.10, 10.0.2503.8, and 9.3.2411.120, a low-privileged user that does not hold the "admin" or "power" Splunk roles could create a views dashboard with a custom background using the `data:image/png;base64` protocol that could potentially lead to an unvalidated redirect. This behavior circumvents the Splunk external URL warning mechanism by using a specially crafted URL, allowing for a redirection to an external malicious site. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will.
Severity ?
CWE
- CWE-601 - A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
10.0 , < 10.0.2
(custom)
Affected: 9.4 , < 9.4.6 (custom) Affected: 9.3 , < 9.3.8 (custom) Affected: 9.2 , < 9.2.10 (custom) |
|||||||
|
|||||||||
Credits
Anton (therceman)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-20382",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-03T21:28:22.162687Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T21:28:38.682Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.0.2",
"status": "affected",
"version": "10.0",
"versionType": "custom"
},
{
"lessThan": "9.4.6",
"status": "affected",
"version": "9.4",
"versionType": "custom"
},
{
"lessThan": "9.3.8",
"status": "affected",
"version": "9.3",
"versionType": "custom"
},
{
"lessThan": "9.2.10",
"status": "affected",
"version": "9.2",
"versionType": "custom"
}
]
},
{
"product": "Splunk Cloud Platform",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.1.2507.10",
"status": "affected",
"version": "10.1.2507",
"versionType": "custom"
},
{
"lessThan": "10.0.2503.8",
"status": "affected",
"version": "10.0.2503",
"versionType": "custom"
},
{
"lessThan": "9.3.2411.120",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Anton (therceman)"
}
],
"datePublic": "2025-12-03T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.10, 10.0.2503.8, and 9.3.2411.120, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could create a views dashboard with a custom background using the `data:image/png;base64` protocol that could potentially lead to an unvalidated redirect. This behavior circumvents the Splunk external URL warning mechanism by using a specially crafted URL, allowing for a redirection to an external malicious site. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will."
}
],
"value": "In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.10, 10.0.2503.8, and 9.3.2411.120, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could create a views dashboard with a custom background using the `data:image/png;base64` protocol that could potentially lead to an unvalidated redirect. This behavior circumvents the Splunk external URL warning mechanism by using a specially crafted URL, allowing for a redirection to an external malicious site. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T17:00:21.824Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2025-1201"
}
],
"source": {
"advisory": "SVD-2025-1201"
},
"title": "URL validation bypass through Views Dashboard in Splunk Enterprise"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2025-20382",
"datePublished": "2025-12-03T17:00:21.824Z",
"dateReserved": "2024-10-10T19:15:13.264Z",
"dateUpdated": "2025-12-03T21:28:38.682Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-20379 (GCVE-0-2025-20379)
Vulnerability from cvelistv5 – Published: 2025-11-12 17:23 – Updated: 2025-11-12 21:04
VLAI?
Summary
In Splunk Enterprise versions below 10.0.1, 9.4.5, 9.3.7, and 9.2.9 and Splunk Cloud Platform versions below 9.3.2411.116, 9.3.2408.124, 10.0.2503.5 and 10.1.2507.1, a low-privileged user that does not hold the “admin“ or “power“ Splunk roles could run a saved search with a risky command using the permissions of a higher-privileged user to bypass the SPL safeguards for risky commands. They could bypass these safeguards on the “/services/streams/search“ endpoint through its “q“ parameter by circumventing endpoint restrictions using character encoding in the REST path. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will.
Severity ?
CWE
- CWE-200 - The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
10.0 , < 10.0.1
(custom)
Affected: 9.4 , < 9.4.5 (custom) Affected: 9.3 , < 9.3.7 (custom) Affected: 9.2 , < 9.2.9 (custom) |
|||||||
|
|||||||||
Credits
Anton (therceman)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-20379",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-12T20:47:25.092580Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T21:04:40.810Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.0.1",
"status": "affected",
"version": "10.0",
"versionType": "custom"
},
{
"lessThan": "9.4.5",
"status": "affected",
"version": "9.4",
"versionType": "custom"
},
{
"lessThan": "9.3.7",
"status": "affected",
"version": "9.3",
"versionType": "custom"
},
{
"lessThan": "9.2.9",
"status": "affected",
"version": "9.2",
"versionType": "custom"
}
]
},
{
"product": "Splunk Cloud Platform",
"vendor": "Splunk",
"versions": [
{
"lessThan": "9.3.2411.116",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
},
{
"lessThan": "9.3.2408.124",
"status": "affected",
"version": "9.3.2408",
"versionType": "custom"
},
{
"lessThan": "10.0.2503.5",
"status": "affected",
"version": "10.0.2503",
"versionType": "custom"
},
{
"lessThan": "10.1.2507.1",
"status": "affected",
"version": "10.1.2507",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Anton (therceman)"
}
],
"datePublic": "2025-11-12T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 10.0.1, 9.4.5, 9.3.7, and 9.2.9 and Splunk Cloud Platform versions below 9.3.2411.116, 9.3.2408.124, 10.0.2503.5 and 10.1.2507.1, a low-privileged user that does not hold the \u201cadmin\u201c or \u201cpower\u201c Splunk roles could run a saved search with a risky command using the permissions of a higher-privileged user to bypass the SPL safeguards for risky commands. They could bypass these safeguards on the \u201c/services/streams/search\u201c endpoint through its \u201cq\u201c parameter by circumventing endpoint restrictions using character encoding in the REST path. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will."
}
],
"value": "In Splunk Enterprise versions below 10.0.1, 9.4.5, 9.3.7, and 9.2.9 and Splunk Cloud Platform versions below 9.3.2411.116, 9.3.2408.124, 10.0.2503.5 and 10.1.2507.1, a low-privileged user that does not hold the \u201cadmin\u201c or \u201cpower\u201c Splunk roles could run a saved search with a risky command using the permissions of a higher-privileged user to bypass the SPL safeguards for risky commands. They could bypass these safeguards on the \u201c/services/streams/search\u201c endpoint through its \u201cq\u201c parameter by circumventing endpoint restrictions using character encoding in the REST path. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T17:23:00.819Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2025-1102"
}
],
"source": {
"advisory": "SVD-2025-1102"
},
"title": "Risky command safeguards bypass using the \u201c/services/streams/search\u201c REST endpoint through \u201cq\u201c parameter in Splunk Enterprise"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2025-20379",
"datePublished": "2025-11-12T17:23:00.819Z",
"dateReserved": "2024-10-10T19:15:13.263Z",
"dateUpdated": "2025-11-12T21:04:40.810Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-20378 (GCVE-0-2025-20378)
Vulnerability from cvelistv5 – Published: 2025-11-12 17:22 – Updated: 2025-11-12 21:04
VLAI?
Summary
In Splunk Enterprise versions below 10.0.1, 9.4.5, 9.3.7, 9.2.9, and Splunk Cloud Platform versions below 10.0.2503.5, 9.3.2411.111, and 9.3.2408.121, an unauthenticated attacker could craft a malicious URL using the `return_to` parameter of the Splunk Web login endpoint. When an authenticated user visits the malicious URL, it could cause an unvalidated redirect to an external malicious site. To be successful, the attacker has to trick the victim into initiating a request from their browser. The unauthenticated attacker should not be able to exploit the vulnerability at will.
Severity ?
CWE
- CWE-601 - A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
10.0 , < 10.0.1
(custom)
Affected: 9.4 , < 9.4.5 (custom) Affected: 9.3 , < 9.3.7 (custom) Affected: 9.2 , < 9.2.9 (custom) |
|||||||
|
|||||||||
Credits
Diogo Real (c0rte)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-20378",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-12T20:47:32.175559Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T21:04:48.103Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.0.1",
"status": "affected",
"version": "10.0",
"versionType": "custom"
},
{
"lessThan": "9.4.5",
"status": "affected",
"version": "9.4",
"versionType": "custom"
},
{
"lessThan": "9.3.7",
"status": "affected",
"version": "9.3",
"versionType": "custom"
},
{
"lessThan": "9.2.9",
"status": "affected",
"version": "9.2",
"versionType": "custom"
}
]
},
{
"product": "Splunk Cloud Platform",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.0.2503.5",
"status": "affected",
"version": "10.0.2503",
"versionType": "custom"
},
{
"lessThan": "9.3.2411.111",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
},
{
"lessThan": "9.3.2408.121",
"status": "affected",
"version": "9.3.2408",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Diogo Real (c0rte)"
}
],
"datePublic": "2025-11-12T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 10.0.1, 9.4.5, 9.3.7, 9.2.9, and Splunk Cloud Platform versions below 10.0.2503.5, 9.3.2411.111, and 9.3.2408.121, an unauthenticated attacker could craft a malicious URL using the `return_to` parameter of the Splunk Web login endpoint. When an authenticated user visits the malicious URL, it could cause an unvalidated redirect to an external malicious site. To be successful, the attacker has to trick the victim into initiating a request from their browser. The unauthenticated attacker should not be able to exploit the vulnerability at will."
}
],
"value": "In Splunk Enterprise versions below 10.0.1, 9.4.5, 9.3.7, 9.2.9, and Splunk Cloud Platform versions below 10.0.2503.5, 9.3.2411.111, and 9.3.2408.121, an unauthenticated attacker could craft a malicious URL using the `return_to` parameter of the Splunk Web login endpoint. When an authenticated user visits the malicious URL, it could cause an unvalidated redirect to an external malicious site. To be successful, the attacker has to trick the victim into initiating a request from their browser. The unauthenticated attacker should not be able to exploit the vulnerability at will."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T17:22:56.630Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2025-1101"
}
],
"source": {
"advisory": "SVD-2025-1101"
},
"title": "Open Redirect on Web Login endpoint in Splunk Enterprise"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2025-20378",
"datePublished": "2025-11-12T17:22:56.630Z",
"dateReserved": "2024-10-10T19:15:13.263Z",
"dateUpdated": "2025-11-12T21:04:48.103Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-20368 (GCVE-0-2025-20368)
Vulnerability from cvelistv5 – Published: 2025-10-01 16:08 – Updated: 2025-10-01 17:35
VLAI?
Summary
In Splunk Enterprise versions below 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.108, 9.3.2408.118 and 9.2.2406.123, a low privileged user that does not hold the admin or power Splunk roles could craft a malicious payload through the error messages and job inspection details of a saved search. This could result in execution of unauthorized JavaScript code in the browser of a user.
Severity ?
5.7 (Medium)
CWE
- CWE-79 - The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
10.0 , < 10.0.0
(custom)
Affected: 9.4 , < 9.4.4 (custom) Affected: 9.3 , < 9.3.6 (custom) Affected: 9.2 , < 9.2.8 (custom) |
|||||||
|
|||||||||
Credits
Danylo Dmytriiev (DDV_UA)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-20368",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T17:22:31.984073Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T17:35:52.651Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.0.0",
"status": "affected",
"version": "10.0",
"versionType": "custom"
},
{
"lessThan": "9.4.4",
"status": "affected",
"version": "9.4",
"versionType": "custom"
},
{
"lessThan": "9.3.6",
"status": "affected",
"version": "9.3",
"versionType": "custom"
},
{
"lessThan": "9.2.8",
"status": "affected",
"version": "9.2",
"versionType": "custom"
}
]
},
{
"product": "Splunk Cloud Platform",
"vendor": "Splunk",
"versions": [
{
"lessThan": "9.3.2411.108",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
},
{
"lessThan": "9.3.2408.118",
"status": "affected",
"version": "9.3.2408",
"versionType": "custom"
},
{
"lessThan": "9.2.2406.123",
"status": "affected",
"version": "9.2.2406",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Danylo Dmytriiev (DDV_UA)"
}
],
"datePublic": "2025-10-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.108, 9.3.2408.118 and 9.2.2406.123, a low privileged user that does not hold the admin or power Splunk roles could craft a malicious payload through the error messages and job inspection details of a saved search. This could result in execution of unauthorized JavaScript code in the browser of a user."
}
],
"value": "In Splunk Enterprise versions below 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.108, 9.3.2408.118 and 9.2.2406.123, a low privileged user that does not hold the admin or power Splunk roles could craft a malicious payload through the error messages and job inspection details of a saved search. This could result in execution of unauthorized JavaScript code in the browser of a user."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T16:08:04.403Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2025-1003"
}
],
"source": {
"advisory": "SVD-2025-1003"
},
"title": "Stored Cross-Site Scripting (XSS) through missing field warning messages in Saved Search and Job Inspector on Splunk Enterprise"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2025-20368",
"datePublished": "2025-10-01T16:08:04.403Z",
"dateReserved": "2024-10-10T19:15:13.261Z",
"dateUpdated": "2025-10-01T17:35:52.651Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-20371 (GCVE-0-2025-20371)
Vulnerability from cvelistv5 – Published: 2025-10-01 16:08 – Updated: 2025-10-02 03:55
VLAI?
Summary
In Splunk Enterprise versions below 10.0.1, 9.4.4, 9.3.6 and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.109, 9.3.2408.119 and 9.2.2406.122, an unauthenticated attacker could trigger a blind server-side request forgery (SSRF) potentially letting an attacker perform REST API calls on behalf of an authenticated high-privileged user.
Severity ?
7.5 (High)
CWE
- CWE-918 - The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
10.0 , < 10.0.1
(custom)
Affected: 9.4 , < 9.4.4 (custom) Affected: 9.3 , < 9.3.6 (custom) Affected: 9.2 , < 9.2.8 (custom) |
|||||||
|
|||||||||
Credits
Alex Hordijk (hordalex)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-20371",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T03:55:47.543Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.0.1",
"status": "affected",
"version": "10.0",
"versionType": "custom"
},
{
"lessThan": "9.4.4",
"status": "affected",
"version": "9.4",
"versionType": "custom"
},
{
"lessThan": "9.3.6",
"status": "affected",
"version": "9.3",
"versionType": "custom"
},
{
"lessThan": "9.2.8",
"status": "affected",
"version": "9.2",
"versionType": "custom"
}
]
},
{
"product": "Splunk Cloud Platform",
"vendor": "Splunk",
"versions": [
{
"lessThan": "9.3.2411.109",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
},
{
"lessThan": "9.3.2408.119",
"status": "affected",
"version": "9.3.2408",
"versionType": "custom"
},
{
"lessThan": "9.2.2406.122",
"status": "affected",
"version": "9.2.2406",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Alex Hordijk (hordalex)"
}
],
"datePublic": "2025-10-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 10.0.1, 9.4.4, 9.3.6 and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.109, 9.3.2408.119 and 9.2.2406.122, an unauthenticated attacker could trigger a blind server-side request forgery (SSRF) potentially letting an attacker perform REST API calls on behalf of an authenticated high-privileged user."
}
],
"value": "In Splunk Enterprise versions below 10.0.1, 9.4.4, 9.3.6 and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.109, 9.3.2408.119 and 9.2.2406.122, an unauthenticated attacker could trigger a blind server-side request forgery (SSRF) potentially letting an attacker perform REST API calls on behalf of an authenticated high-privileged user."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T16:08:02.891Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2025-1006"
}
],
"source": {
"advisory": "SVD-2025-1006"
},
"title": "Unauthenticated Blind Server Side Request Forgery (SSRF) in Splunk Enterprise"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2025-20371",
"datePublished": "2025-10-01T16:08:02.891Z",
"dateReserved": "2024-10-10T19:15:13.262Z",
"dateUpdated": "2025-10-02T03:55:47.543Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-20367 (GCVE-0-2025-20367)
Vulnerability from cvelistv5 – Published: 2025-10-01 16:08 – Updated: 2025-10-01 17:40
VLAI?
Summary
In Splunk Enterprise versions below 9.4.4, 9.3.6 and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.109, 9.3.2408.119 and 9.2.2406.122, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could craft a malicious payload through the `dataset.command` parameter of the `/app/search/table` endpoint, which could result in execution of unauthorized JavaScript code in the browser of a user.
Severity ?
5.7 (Medium)
CWE
- CWE-79 - The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
10.0 , < 10.0.0
(custom)
Affected: 9.4 , < 9.4.4 (custom) Affected: 9.3 , < 9.3.6 (custom) Affected: 9.2 , < 9.2.8 (custom) |
|||||||
|
|||||||||
Credits
Danylo Dmytriiev (DDV_UA)
Anudeep Gandla, Splunk
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-20367",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T17:19:40.128884Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T17:40:43.251Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.0.0",
"status": "affected",
"version": "10.0",
"versionType": "custom"
},
{
"lessThan": "9.4.4",
"status": "affected",
"version": "9.4",
"versionType": "custom"
},
{
"lessThan": "9.3.6",
"status": "affected",
"version": "9.3",
"versionType": "custom"
},
{
"lessThan": "9.2.8",
"status": "affected",
"version": "9.2",
"versionType": "custom"
}
]
},
{
"product": "Splunk Cloud Platform",
"vendor": "Splunk",
"versions": [
{
"lessThan": "9.3.2411.109",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
},
{
"lessThan": "9.3.2408.119",
"status": "affected",
"version": "9.3.2408",
"versionType": "custom"
},
{
"lessThan": "9.2.2406.122",
"status": "affected",
"version": "9.2.2406",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Danylo Dmytriiev (DDV_UA)"
},
{
"lang": "en",
"value": "Anudeep Gandla, Splunk"
}
],
"datePublic": "2025-10-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 9.4.4, 9.3.6 and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.109, 9.3.2408.119 and 9.2.2406.122, a low-privileged user that does not hold the \u0027admin\u0027 or \u0027power\u0027 Splunk roles could craft a malicious payload through the `dataset.command` parameter of the `/app/search/table` endpoint, which could result in execution of unauthorized JavaScript code in the browser of a user."
}
],
"value": "In Splunk Enterprise versions below 9.4.4, 9.3.6 and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.109, 9.3.2408.119 and 9.2.2406.122, a low-privileged user that does not hold the \u0027admin\u0027 or \u0027power\u0027 Splunk roles could craft a malicious payload through the `dataset.command` parameter of the `/app/search/table` endpoint, which could result in execution of unauthorized JavaScript code in the browser of a user."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T16:08:01.304Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2025-1002"
}
],
"source": {
"advisory": "SVD-2025-1002"
},
"title": "Reflected Cross-site Scripting (XSS) in \u0027/app/search/table\u0027 endpoint through the \u0027dataset.command\u0027 parameter on Splunk Enterprise"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2025-20367",
"datePublished": "2025-10-01T16:08:01.304Z",
"dateReserved": "2024-10-10T19:15:13.261Z",
"dateUpdated": "2025-10-01T17:40:43.251Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
FKIE_CVE-2025-20379
Vulnerability from fkie_nvd - Published: 2025-11-12 18:15 - Updated: 2025-12-03 21:41
Severity ?
3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Summary
In Splunk Enterprise versions below 10.0.1, 9.4.5, 9.3.7, and 9.2.9 and Splunk Cloud Platform versions below 9.3.2411.116, 9.3.2408.124, 10.0.2503.5 and 10.1.2507.1, a low-privileged user that does not hold the “admin“ or “power“ Splunk roles could run a saved search with a risky command using the permissions of a higher-privileged user to bypass the SPL safeguards for risky commands. They could bypass these safeguards on the “/services/streams/search“ endpoint through its “q“ parameter by circumventing endpoint restrictions using character encoding in the REST path. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will.
References
| URL | Tags | ||
|---|---|---|---|
| psirt@cisco.com | https://advisory.splunk.com/advisories/SVD-2025-1102 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| splunk | splunk | * | |
| splunk | splunk | * | |
| splunk | splunk | * | |
| splunk | splunk | 10.0.0 | |
| splunk | splunk_cloud_platform | * | |
| splunk | splunk_cloud_platform | * | |
| splunk | splunk_cloud_platform | * | |
| splunk | splunk_cloud_platform | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "FE00218E-F8B2-42DA-9E4E-D7A00B657B93",
"versionEndExcluding": "9.2.9",
"versionStartIncluding": "9.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "C6257ADA-AB6E-4679-A41B-BCE79CE8D573",
"versionEndExcluding": "9.3.7",
"versionStartIncluding": "9.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "30970DF3-6DA7-4FAB-B234-3226F47F9C87",
"versionEndExcluding": "9.4.5",
"versionStartIncluding": "9.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:splunk:splunk:10.0.0:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "259A3F4B-E4D2-48BC-9AE9-C37DE94987D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C534EB53-D57A-4FB6-AC59-BDBFC451D892",
"versionEndExcluding": "9.3.2408.124",
"versionStartIncluding": "9.3.2408",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CF33BD17-3D4D-47CC-A917-13AD9C777A47",
"versionEndExcluding": "9.3.2411.116",
"versionStartIncluding": "9.3.2411",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E82D5593-83EE-4B20-ABDD-937AD94D6DB1",
"versionEndExcluding": "10.0.2503.5",
"versionStartIncluding": "10.0.2503",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "53675B00-D339-426F-AB65-AF70A983433D",
"versionEndExcluding": "10.1.2507.1",
"versionStartIncluding": "10.1.2507",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Splunk Enterprise versions below 10.0.1, 9.4.5, 9.3.7, and 9.2.9 and Splunk Cloud Platform versions below 9.3.2411.116, 9.3.2408.124, 10.0.2503.5 and 10.1.2507.1, a low-privileged user that does not hold the \u201cadmin\u201c or \u201cpower\u201c Splunk roles could run a saved search with a risky command using the permissions of a higher-privileged user to bypass the SPL safeguards for risky commands. They could bypass these safeguards on the \u201c/services/streams/search\u201c endpoint through its \u201cq\u201c parameter by circumventing endpoint restrictions using character encoding in the REST path. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will."
}
],
"id": "CVE-2025-20379",
"lastModified": "2025-12-03T21:41:26.870",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 1.4,
"source": "psirt@cisco.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-11-12T18:15:35.030",
"references": [
{
"source": "psirt@cisco.com",
"tags": [
"Vendor Advisory"
],
"url": "https://advisory.splunk.com/advisories/SVD-2025-1102"
}
],
"sourceIdentifier": "psirt@cisco.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "psirt@cisco.com",
"type": "Primary"
}
]
}
FKIE_CVE-2025-20378
Vulnerability from fkie_nvd - Published: 2025-11-12 18:15 - Updated: 2025-12-03 21:43
Severity ?
3.1 (Low) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
In Splunk Enterprise versions below 10.0.1, 9.4.5, 9.3.7, 9.2.9, and Splunk Cloud Platform versions below 10.0.2503.5, 9.3.2411.111, and 9.3.2408.121, an unauthenticated attacker could craft a malicious URL using the `return_to` parameter of the Splunk Web login endpoint. When an authenticated user visits the malicious URL, it could cause an unvalidated redirect to an external malicious site. To be successful, the attacker has to trick the victim into initiating a request from their browser. The unauthenticated attacker should not be able to exploit the vulnerability at will.
References
| URL | Tags | ||
|---|---|---|---|
| psirt@cisco.com | https://advisory.splunk.com/advisories/SVD-2025-1101 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| splunk | splunk | * | |
| splunk | splunk | * | |
| splunk | splunk | * | |
| splunk | splunk | 10.0.0 | |
| splunk | splunk_cloud_platform | * | |
| splunk | splunk_cloud_platform | * | |
| splunk | splunk_cloud_platform | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "FE00218E-F8B2-42DA-9E4E-D7A00B657B93",
"versionEndExcluding": "9.2.9",
"versionStartIncluding": "9.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "C6257ADA-AB6E-4679-A41B-BCE79CE8D573",
"versionEndExcluding": "9.3.7",
"versionStartIncluding": "9.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "30970DF3-6DA7-4FAB-B234-3226F47F9C87",
"versionEndExcluding": "9.4.5",
"versionStartIncluding": "9.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:splunk:splunk:10.0.0:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "259A3F4B-E4D2-48BC-9AE9-C37DE94987D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "97D8397F-D372-4481-901A-0BC282B09DD7",
"versionEndExcluding": "9.3.2408.121",
"versionStartIncluding": "9.3.2408",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F134529C-FFD7-4B2F-AE4C-6DEA847F4714",
"versionEndExcluding": "9.3.2411.111",
"versionStartIncluding": "9.3.2411",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E82D5593-83EE-4B20-ABDD-937AD94D6DB1",
"versionEndExcluding": "10.0.2503.5",
"versionStartIncluding": "10.0.2503",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Splunk Enterprise versions below 10.0.1, 9.4.5, 9.3.7, 9.2.9, and Splunk Cloud Platform versions below 10.0.2503.5, 9.3.2411.111, and 9.3.2408.121, an unauthenticated attacker could craft a malicious URL using the `return_to` parameter of the Splunk Web login endpoint. When an authenticated user visits the malicious URL, it could cause an unvalidated redirect to an external malicious site. To be successful, the attacker has to trick the victim into initiating a request from their browser. The unauthenticated attacker should not be able to exploit the vulnerability at will."
}
],
"id": "CVE-2025-20378",
"lastModified": "2025-12-03T21:43:31.337",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 1.4,
"source": "psirt@cisco.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-11-12T18:15:34.847",
"references": [
{
"source": "psirt@cisco.com",
"tags": [
"Vendor Advisory"
],
"url": "https://advisory.splunk.com/advisories/SVD-2025-1101"
}
],
"sourceIdentifier": "psirt@cisco.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "psirt@cisco.com",
"type": "Primary"
}
]
}
FKIE_CVE-2025-20370
Vulnerability from fkie_nvd - Published: 2025-10-01 17:15 - Updated: 2025-10-08 20:24
Severity ?
Summary
In Splunk Enterprise versions below 10.0.1, 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.108, 9.3.2408.118 and 9.2.2406.123, a user who holds a role that contains the high-privilege capability `change_authentication`, could send multiple LDAP bind requests to a specific internal endpoint, resulting in high server CPU usage, which could potentially lead to a denial of service (DoS) until the Splunk Enterprise instance is restarted. See https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/10.0/manage-splunk-platform-users-and-roles/define-roles-on-the-splunk-platform-with-capabilities and https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/10.0/use-ldap-as-an-authentication-scheme/configure-ldap-with-splunk-web#cfe47e31_007f_460d_8b3d_8505ffc3f0dd__Configure_LDAP_with_Splunk_Web for more information.
References
| URL | Tags | ||
|---|---|---|---|
| psirt@cisco.com | https://advisory.splunk.com/advisories/SVD-2025-1005 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| splunk | splunk | * | |
| splunk | splunk | * | |
| splunk | splunk | * | |
| splunk | splunk | 10.0.0 | |
| splunk | splunk_cloud_platform | * | |
| splunk | splunk_cloud_platform | * | |
| splunk | splunk_cloud_platform | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "724443E6-2DC9-4AB3-8E8F-D9BFBCC162E6",
"versionEndExcluding": "9.2.8",
"versionStartIncluding": "9.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "046659D8-1F48-4229-AC57-2A3B77D44442",
"versionEndExcluding": "9.3.6",
"versionStartIncluding": "9.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "88D2F283-10F9-4204-876A-9BEE75130E2C",
"versionEndExcluding": "9.4.4",
"versionStartIncluding": "9.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:splunk:splunk:10.0.0:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "259A3F4B-E4D2-48BC-9AE9-C37DE94987D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4F61F654-CFCC-4E48-A860-7AFCBBE69297",
"versionEndExcluding": "9.2.2406.123",
"versionStartIncluding": "9.2.2406",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D49A3BA2-2260-4294-964A-8E8A3729CEB4",
"versionEndExcluding": "9.3.2408.118",
"versionStartIncluding": "9.3.2408",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D7F27B31-B360-4AC9-BBBC-0A0F720C0B59",
"versionEndExcluding": "9.3.2411.108",
"versionStartIncluding": "9.3.2411",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Splunk Enterprise versions below 10.0.1, 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.108, 9.3.2408.118 and 9.2.2406.123, a user who holds a role that contains the high-privilege capability `change_authentication`, could send multiple LDAP bind requests to a specific internal endpoint, resulting in high server CPU usage, which could potentially lead to a denial of service (DoS) until the Splunk Enterprise instance is restarted. See https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/10.0/manage-splunk-platform-users-and-roles/define-roles-on-the-splunk-platform-with-capabilities and https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/10.0/use-ldap-as-an-authentication-scheme/configure-ldap-with-splunk-web#cfe47e31_007f_460d_8b3d_8505ffc3f0dd__Configure_LDAP_with_Splunk_Web for more information."
}
],
"id": "CVE-2025-20370",
"lastModified": "2025-10-08T20:24:31.843",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 3.6,
"source": "psirt@cisco.com",
"type": "Primary"
}
]
},
"published": "2025-10-01T17:15:40.273",
"references": [
{
"source": "psirt@cisco.com",
"tags": [
"Vendor Advisory"
],
"url": "https://advisory.splunk.com/advisories/SVD-2025-1005"
}
],
"sourceIdentifier": "psirt@cisco.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "psirt@cisco.com",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2025-20369
Vulnerability from fkie_nvd - Published: 2025-10-01 17:15 - Updated: 2025-10-08 20:24
Severity ?
4.6 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
In Splunk Enterprise versions below 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.108, 9.3.2408.118 and 9.2.2406.123, a low privilege user that does not hold the "admin" or "power" Splunk roles could perform an extensible markup language (XML) external entity (XXE) injection through the dashboard tab label field. The XXE injection has the potential to cause denial of service (DoS) attacks.
References
| URL | Tags | ||
|---|---|---|---|
| psirt@cisco.com | https://advisory.splunk.com/advisories/SVD-2025-1004 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| splunk | splunk | * | |
| splunk | splunk | * | |
| splunk | splunk | * | |
| splunk | splunk_cloud_platform | * | |
| splunk | splunk_cloud_platform | * | |
| splunk | splunk_cloud_platform | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "724443E6-2DC9-4AB3-8E8F-D9BFBCC162E6",
"versionEndExcluding": "9.2.8",
"versionStartIncluding": "9.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "046659D8-1F48-4229-AC57-2A3B77D44442",
"versionEndExcluding": "9.3.6",
"versionStartIncluding": "9.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "88D2F283-10F9-4204-876A-9BEE75130E2C",
"versionEndExcluding": "9.4.4",
"versionStartIncluding": "9.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4F61F654-CFCC-4E48-A860-7AFCBBE69297",
"versionEndExcluding": "9.2.2406.123",
"versionStartIncluding": "9.2.2406",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D49A3BA2-2260-4294-964A-8E8A3729CEB4",
"versionEndExcluding": "9.3.2408.118",
"versionStartIncluding": "9.3.2408",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D7F27B31-B360-4AC9-BBBC-0A0F720C0B59",
"versionEndExcluding": "9.3.2411.108",
"versionStartIncluding": "9.3.2411",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Splunk Enterprise versions below 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.108, 9.3.2408.118 and 9.2.2406.123, a low privilege user that does not hold the \"admin\" or \"power\" Splunk roles could perform an extensible markup language (XML) external entity (XXE) injection through the dashboard tab label field. The XXE injection has the potential to cause denial of service (DoS) attacks."
}
],
"id": "CVE-2025-20369",
"lastModified": "2025-10-08T20:24:06.277",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 2.5,
"source": "psirt@cisco.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-10-01T17:15:40.080",
"references": [
{
"source": "psirt@cisco.com",
"tags": [
"Vendor Advisory"
],
"url": "https://advisory.splunk.com/advisories/SVD-2025-1004"
}
],
"sourceIdentifier": "psirt@cisco.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-776"
}
],
"source": "psirt@cisco.com",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-611"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2025-20371
Vulnerability from fkie_nvd - Published: 2025-10-01 17:15 - Updated: 2025-10-08 20:25
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
In Splunk Enterprise versions below 10.0.1, 9.4.4, 9.3.6 and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.109, 9.3.2408.119 and 9.2.2406.122, an unauthenticated attacker could trigger a blind server-side request forgery (SSRF) potentially letting an attacker perform REST API calls on behalf of an authenticated high-privileged user.
References
| URL | Tags | ||
|---|---|---|---|
| psirt@cisco.com | https://advisory.splunk.com/advisories/SVD-2025-1006 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| splunk | splunk | * | |
| splunk | splunk | * | |
| splunk | splunk | * | |
| splunk | splunk | 10.0.0 | |
| splunk | splunk_cloud_platform | * | |
| splunk | splunk_cloud_platform | * | |
| splunk | splunk_cloud_platform | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "724443E6-2DC9-4AB3-8E8F-D9BFBCC162E6",
"versionEndExcluding": "9.2.8",
"versionStartIncluding": "9.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "046659D8-1F48-4229-AC57-2A3B77D44442",
"versionEndExcluding": "9.3.6",
"versionStartIncluding": "9.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "88D2F283-10F9-4204-876A-9BEE75130E2C",
"versionEndExcluding": "9.4.4",
"versionStartIncluding": "9.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:splunk:splunk:10.0.0:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "259A3F4B-E4D2-48BC-9AE9-C37DE94987D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DAA1E6F9-415D-4062-BC4E-4EDFA6F6A7CA",
"versionEndExcluding": "9.2.2406.122",
"versionStartIncluding": "9.2.2406",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9BEB41CF-1F71-45BB-A434-984C16A2E174",
"versionEndExcluding": "9.3.2408.119",
"versionStartIncluding": "9.3.2408",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A5075451-6D11-4EA8-9BB5-9BB27ECF8A40",
"versionEndExcluding": "9.3.2411.109",
"versionStartIncluding": "9.3.2411",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Splunk Enterprise versions below 10.0.1, 9.4.4, 9.3.6 and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.109, 9.3.2408.119 and 9.2.2406.122, an unauthenticated attacker could trigger a blind server-side request forgery (SSRF) potentially letting an attacker perform REST API calls on behalf of an authenticated high-privileged user."
}
],
"id": "CVE-2025-20371",
"lastModified": "2025-10-08T20:25:35.023",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 5.9,
"source": "psirt@cisco.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-10-01T17:15:40.450",
"references": [
{
"source": "psirt@cisco.com",
"tags": [
"Vendor Advisory"
],
"url": "https://advisory.splunk.com/advisories/SVD-2025-1006"
}
],
"sourceIdentifier": "psirt@cisco.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "psirt@cisco.com",
"type": "Primary"
}
]
}
FKIE_CVE-2025-20368
Vulnerability from fkie_nvd - Published: 2025-10-01 17:15 - Updated: 2025-10-08 20:22
Severity ?
5.7 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
In Splunk Enterprise versions below 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.108, 9.3.2408.118 and 9.2.2406.123, a low privileged user that does not hold the admin or power Splunk roles could craft a malicious payload through the error messages and job inspection details of a saved search. This could result in execution of unauthorized JavaScript code in the browser of a user.
References
| URL | Tags | ||
|---|---|---|---|
| psirt@cisco.com | https://advisory.splunk.com/advisories/SVD-2025-1003 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| splunk | splunk | * | |
| splunk | splunk | * | |
| splunk | splunk | * | |
| splunk | splunk_cloud_platform | * | |
| splunk | splunk_cloud_platform | * | |
| splunk | splunk_cloud_platform | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "724443E6-2DC9-4AB3-8E8F-D9BFBCC162E6",
"versionEndExcluding": "9.2.8",
"versionStartIncluding": "9.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "046659D8-1F48-4229-AC57-2A3B77D44442",
"versionEndExcluding": "9.3.6",
"versionStartIncluding": "9.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "88D2F283-10F9-4204-876A-9BEE75130E2C",
"versionEndExcluding": "9.4.4",
"versionStartIncluding": "9.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4F61F654-CFCC-4E48-A860-7AFCBBE69297",
"versionEndExcluding": "9.2.2406.123",
"versionStartIncluding": "9.2.2406",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D49A3BA2-2260-4294-964A-8E8A3729CEB4",
"versionEndExcluding": "9.3.2408.118",
"versionStartIncluding": "9.3.2408",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D7F27B31-B360-4AC9-BBBC-0A0F720C0B59",
"versionEndExcluding": "9.3.2411.108",
"versionStartIncluding": "9.3.2411",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Splunk Enterprise versions below 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.108, 9.3.2408.118 and 9.2.2406.123, a low privileged user that does not hold the admin or power Splunk roles could craft a malicious payload through the error messages and job inspection details of a saved search. This could result in execution of unauthorized JavaScript code in the browser of a user."
}
],
"id": "CVE-2025-20368",
"lastModified": "2025-10-08T20:22:57.043",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 3.6,
"source": "psirt@cisco.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-10-01T17:15:39.893",
"references": [
{
"source": "psirt@cisco.com",
"tags": [
"Vendor Advisory"
],
"url": "https://advisory.splunk.com/advisories/SVD-2025-1003"
}
],
"sourceIdentifier": "psirt@cisco.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "psirt@cisco.com",
"type": "Primary"
}
]
}
FKIE_CVE-2025-20366
Vulnerability from fkie_nvd - Published: 2025-10-01 17:15 - Updated: 2025-10-08 20:36
Severity ?
Summary
In Splunk Enterprise versions below 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.111, 9.3.2408.119, and 9.2.2406.122, a low-privileged user that does not hold the admin or power Splunk roles could access sensitive search results if Splunk Enterprise runs an administrative search job in the background. If the low privileged user guesses the search job’s unique Search ID (SID), the user could retrieve the results of that job, potentially exposing sensitive search results. For more information see https://help.splunk.com/en/splunk-enterprise/search/search-manual/10.0/manage-jobs/about-jobs-and-job-management and https://help.splunk.com/en/splunk-enterprise/search/search-manual/10.0/manage-jobs/manage-search-jobs.
References
| URL | Tags | ||
|---|---|---|---|
| psirt@cisco.com | https://advisory.splunk.com/advisories/SVD-2025-1001 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| splunk | splunk | * | |
| splunk | splunk | * | |
| splunk | splunk | * | |
| splunk | splunk_cloud_platform | * | |
| splunk | splunk_cloud_platform | * | |
| splunk | splunk_cloud_platform | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "724443E6-2DC9-4AB3-8E8F-D9BFBCC162E6",
"versionEndExcluding": "9.2.8",
"versionStartIncluding": "9.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "046659D8-1F48-4229-AC57-2A3B77D44442",
"versionEndExcluding": "9.3.6",
"versionStartIncluding": "9.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "88D2F283-10F9-4204-876A-9BEE75130E2C",
"versionEndExcluding": "9.4.4",
"versionStartIncluding": "9.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DAA1E6F9-415D-4062-BC4E-4EDFA6F6A7CA",
"versionEndExcluding": "9.2.2406.122",
"versionStartIncluding": "9.2.2406",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9BEB41CF-1F71-45BB-A434-984C16A2E174",
"versionEndExcluding": "9.3.2408.119",
"versionStartIncluding": "9.3.2408",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F134529C-FFD7-4B2F-AE4C-6DEA847F4714",
"versionEndExcluding": "9.3.2411.111",
"versionStartIncluding": "9.3.2411",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Splunk Enterprise versions below 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.111, 9.3.2408.119, and 9.2.2406.122, a low-privileged user that does not hold the admin or power Splunk roles could access sensitive search results if Splunk Enterprise runs an administrative search job in the background. If the low privileged user guesses the search job\u2019s unique Search ID (SID), the user could retrieve the results of that job, potentially exposing sensitive search results. For more information see https://help.splunk.com/en/splunk-enterprise/search/search-manual/10.0/manage-jobs/about-jobs-and-job-management and https://help.splunk.com/en/splunk-enterprise/search/search-manual/10.0/manage-jobs/manage-search-jobs."
}
],
"id": "CVE-2025-20366",
"lastModified": "2025-10-08T20:36:04.493",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "psirt@cisco.com",
"type": "Primary"
}
]
},
"published": "2025-10-01T17:15:39.517",
"references": [
{
"source": "psirt@cisco.com",
"tags": [
"Vendor Advisory"
],
"url": "https://advisory.splunk.com/advisories/SVD-2025-1001"
}
],
"sourceIdentifier": "psirt@cisco.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "psirt@cisco.com",
"type": "Primary"
}
]
}
FKIE_CVE-2025-20367
Vulnerability from fkie_nvd - Published: 2025-10-01 17:15 - Updated: 2025-10-08 20:22
Severity ?
5.7 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
In Splunk Enterprise versions below 9.4.4, 9.3.6 and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.109, 9.3.2408.119 and 9.2.2406.122, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could craft a malicious payload through the `dataset.command` parameter of the `/app/search/table` endpoint, which could result in execution of unauthorized JavaScript code in the browser of a user.
References
| URL | Tags | ||
|---|---|---|---|
| psirt@cisco.com | https://advisory.splunk.com/advisories/SVD-2025-1002 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| splunk | splunk | * | |
| splunk | splunk | * | |
| splunk | splunk | * | |
| splunk | splunk_cloud_platform | * | |
| splunk | splunk_cloud_platform | * | |
| splunk | splunk_cloud_platform | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "724443E6-2DC9-4AB3-8E8F-D9BFBCC162E6",
"versionEndExcluding": "9.2.8",
"versionStartIncluding": "9.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "046659D8-1F48-4229-AC57-2A3B77D44442",
"versionEndExcluding": "9.3.6",
"versionStartIncluding": "9.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "88D2F283-10F9-4204-876A-9BEE75130E2C",
"versionEndExcluding": "9.4.4",
"versionStartIncluding": "9.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DAA1E6F9-415D-4062-BC4E-4EDFA6F6A7CA",
"versionEndExcluding": "9.2.2406.122",
"versionStartIncluding": "9.2.2406",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9BEB41CF-1F71-45BB-A434-984C16A2E174",
"versionEndExcluding": "9.3.2408.119",
"versionStartIncluding": "9.3.2408",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A5075451-6D11-4EA8-9BB5-9BB27ECF8A40",
"versionEndExcluding": "9.3.2411.109",
"versionStartIncluding": "9.3.2411",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Splunk Enterprise versions below 9.4.4, 9.3.6 and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.109, 9.3.2408.119 and 9.2.2406.122, a low-privileged user that does not hold the \u0027admin\u0027 or \u0027power\u0027 Splunk roles could craft a malicious payload through the `dataset.command` parameter of the `/app/search/table` endpoint, which could result in execution of unauthorized JavaScript code in the browser of a user."
}
],
"id": "CVE-2025-20367",
"lastModified": "2025-10-08T20:22:49.717",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 3.6,
"source": "psirt@cisco.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-10-01T17:15:39.703",
"references": [
{
"source": "psirt@cisco.com",
"tags": [
"Vendor Advisory"
],
"url": "https://advisory.splunk.com/advisories/SVD-2025-1002"
}
],
"sourceIdentifier": "psirt@cisco.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "psirt@cisco.com",
"type": "Primary"
}
]
}