Persistent cross-site scripting (XSS) in Splunk Dashboard

AdVisory Summary

Title: Persistent cross-site scripting (XSS) in Splunk Dashboard
Impact: Execution of arbitrary JavaScript
Vendor: Splunk Inc.
Product: Splunk Enterprise
Versions: 6.1.x before 6.1.4, 6.0.x before 6.0.6, 5.0.x before 5.0.10
Date Released: 30/09/2014
Researcher: Adam Bell
Identifiers: SPL-89216, CVE-2014-5466
Timeline: August 6th 2014 : Issue disclosed to vendor
August 15th 2014 : Issue and reproduction confirmed by vendor
September 30th 2014 : Vendor publishes security advisory and patch




A persistent cross-site scripting (XSS) vulnerability allows for malicious content to be stored by and into a web application that is subsequently accessed and executed in the context of a victim user’s web browser.

In the Splunk Web application (part of Splunk Enterprise) the name of searches that are automatically saved, such as those generated when creating reports, are not subject to the same input filtering as those that are manually created by a user. When viewing the information of a saved search that has completed running, the name of the search is displayed and not sufficiently HTML encoded.

To this end, a malicious user can create a report with a name containing malicious, JavaScript content that can be executed by another user if they inspect the saved search associated with this report.


An attacker who can coerce another user to inspect the injected saved search would have the potential to hijack the attacked users entire Splunk session. In the event that this user is an administrative user, this could have significant consequences for the security of the entire Splunk instance.


Update to Splunk Enterprise version 6.1.4, 6.0.6 or 5.0.10 or greater to resolve this issue.