Persistent cross-site scripting (XSS) in Splunk Dashboard
|Title:||Persistent cross-site scripting (XSS) in Splunk Dashboard|
|Versions:||6.1.x before 6.1.4, 6.0.x before 6.0.6, 5.0.x before 5.0.10|
|Timeline:||August 6th 2014 : Issue disclosed to vendor
August 15th 2014 : Issue and reproduction confirmed by vendor
September 30th 2014 : Vendor publishes security advisory and patch
A persistent cross-site scripting (XSS) vulnerability allows for malicious content to be stored by and into a web application that is subsequently accessed and executed in the context of a victim user’s web browser.
In the Splunk Web application (part of Splunk Enterprise) the name of searches that are automatically saved, such as those generated when creating reports, are not subject to the same input filtering as those that are manually created by a user. When viewing the information of a saved search that has completed running, the name of the search is displayed and not sufficiently HTML encoded.
An attacker who can coerce another user to inspect the injected saved search would have the potential to hijack the attacked users entire Splunk session. In the event that this user is an administrative user, this could have significant consequences for the security of the entire Splunk instance.
Update to Splunk Enterprise version 6.1.4, 6.0.6 or 5.0.10 or greater to resolve this issue.