We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Fathom (Privacy friendly web analytics)
Zendesk (Helpdesk and Chat)

Ok

Home | EN
Support
CVE

PUBLISHED

CVE-2024-36993

Persistent Cross-site Scripting (XSS) in Web Bulletin

Assigner	Splunk
Reserved	2024-05-30
Published	2024-07-01
Updated	2024-07-03

Description

In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200 and 9.1.2308.207, a low-privileged user that does not hold the admin or power Splunk roles could craft a malicious payload through a Splunk Web Bulletin Messages that could result in execution of unauthorized JavaScript code in the browser of a user.

MEDIUM: 5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Problem types

The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Product status

9.2 before 9.2.2

affected

9.1 before 9.1.5

affected

9.0 before 9.0.10

affected

9.1.2312 before 9.1.2312.200

affected

9.1.2308 before 9.1.2308.207

affected

Credits

Anton (therceman)

References

https://advisory.splunk.com/advisories/SVD-2024-0713

https://research.splunk.com/application/fd852b27-1882-4505-9f2c-64dfb96f4fc1

cve.org CVE-2024-36993

nvd.nist.gov CVE-2024-36993

Download JSON

https://cve.threatint.com/CVE/CVE-2024-36993

Find us on

Data Privacy
Terms of Use