Advisories
Persistent cross-site scripting (XSS) in Splunk Dashboard
AdVisory Summary
| Title: | Persistent cross-site scripting (XSS) in Splunk Dashboard |
| Impact: | Execution of arbitrary JavaScript |
| Vendor: | Splunk Inc. |
| Product: | Splunk Enterprise |
| Versions: | 6.1.x before 6.1.4, 6.0.x before 6.0.6, 5.0.x before 5.0.10 |
| Date Released: | 30/09/2014 |
| Researcher: | Adam Bell |
| Identifiers: | SPL-89216, CVE-2014-5466 |
| Timeline: | August 6th 2014 : Issue disclosed to vendor August 15th 2014 : Issue and reproduction confirmed by vendor September 30th 2014 : Vendor publishes security advisory and patch |
TECHNICAL DETAIL
Description
A persistent cross-site scripting (XSS) vulnerability allows for malicious content to be stored by and into a web application that is subsequently accessed and executed in the context of a victim user’s web browser.
In the Splunk Web application (part of Splunk Enterprise) the name of searches that are automatically saved, such as those generated when creating reports, are not subject to the same input filtering as those that are manually created by a user. When viewing the information of a saved search that has completed running, the name of the search is displayed and not sufficiently HTML encoded.
To this end, a malicious user can create a report with a name containing malicious, JavaScript content that can be executed by another user if they inspect the saved search associated with this report.
Impact
An attacker who can coerce another user to inspect the injected saved search would have the potential to hijack the attacked users entire Splunk session. In the event that this user is an administrative user, this could have significant consequences for the security of the entire Splunk instance.
Recommendations
Update to Splunk Enterprise version 6.1.4, 6.0.6 or 5.0.10 or greater to resolve this issue.