CVE-2025-20367 is a cross-site scripting (XSS) vulnerability affecting Splunk Enterprise and Splunk Cloud Platform versions prior to 9.4.4, 9.3.6, 9.2.8, and corresponding cloud versions below 9.3.2411.109, 9.3.2408.119, and 9.2.2406.122. The vulnerability arises because the software does not properly neutralize user-controllable input before embedding it into web pages served to other users. Specifically, a low-privileged user lacking 'admin' or 'power' roles can craft a malicious payload via the `dataset.command` parameter in the `/app/search/table` endpoint. When this payload is rendered in the browser of another user, it results in unauthorized JavaScript execution. This is a reflected or stored XSS scenario that can lead to session hijacking, credential theft, or unauthorized actions performed in the context of the victim user's session. The CVSS 3.1 score of 5.7 (medium severity) reflects that the attack vector is network-based, requires low privileges, and user interaction is necessary (the victim must visit a crafted page or view malicious content). The impact is primarily on confidentiality, as the vulnerability allows theft of sensitive information accessible through the victim's session, but does not directly affect integrity or availability. No known exploits are currently reported in the wild, but the vulnerability is publicly disclosed and patched in later versions. The vulnerability affects multiple major versions of Splunk Enterprise, a widely used platform for security information and event management (SIEM) and operational intelligence, making it a relevant concern for organizations relying on Splunk for security monitoring and log analysis.

For European organizations, this vulnerability poses a significant risk to the confidentiality of sensitive security and operational data managed within Splunk environments. Successful exploitation could allow attackers to execute malicious scripts in the context of legitimate users, potentially leading to session hijacking, unauthorized data access, or lateral movement within the network. Given that Splunk is often used to monitor critical infrastructure, financial systems, and personal data processing, exploitation could result in data breaches subject to GDPR regulations, leading to legal and financial repercussions. The medium severity score indicates that while the vulnerability is not trivially exploitable without user interaction, the potential for damage is non-negligible, especially in environments with multiple users accessing Splunk dashboards. Additionally, the presence of low-privileged users capable of crafting malicious payloads increases the attack surface. European organizations with multi-tenant or shared Splunk deployments are particularly at risk, as attackers could leverage this vulnerability to target other users within the same environment.

1. Immediate upgrade to the latest patched versions of Splunk Enterprise and Splunk Cloud Platform (at least 9.4.4, 9.3.6, or 9.2.8 and corresponding cloud versions) to ensure the vulnerability is remediated. 2. Implement strict role-based access control (RBAC) to minimize the number of users with permissions to access or manipulate the `/app/search/table` endpoint and the `dataset.command` parameter. 3. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the vulnerable parameter. 4. Conduct regular security audits and penetration testing focused on web interface inputs to identify and remediate similar injection points. 5. Educate users to be cautious about clicking on links or viewing content within Splunk dashboards that could be crafted by untrusted users. 6. Monitor Splunk logs for unusual activities related to the vulnerable endpoint and parameter to detect potential exploitation attempts early. 7. If immediate patching is not feasible, consider disabling or restricting access to the affected endpoint or applying input validation proxies as a temporary mitigation.