Security

XSS SplunkWeb vulnerability

lboyd
New Member

Several sources indicate a XSS vulnerability in recent Splunk versions. I can find no reference to this issue on your site or in the change logs. Below are some recent examples of sites referring to this issue confirmed in a different Splunk version 6.1.1; our Nessus scanner is also hitting on it(by exploit test and not version check) against version 5.0.8.

cn.tenable.com/plugins/index.php?view=single&id=74243

www.securityfocus.com/bid/67655/info

packetstormsecurity.com/files/126813/Splunk-6.1.1-Cross-Site-Scripting.html

Does the Splunk team have a plan to address this vulnerability?

Tags (2)
0 Karma

dwolf_splunk
Splunk Employee
Splunk Employee

Hi lboyd,

Splunk Product Security is aware of this XSS referrer header vulnerability. Engineering has fixed the issue, and updates are coming soon in upcoming maintenance releases. Please stay tuned for more details.

0 Karma

dwolf_splunk
Splunk Employee
Splunk Employee

Hi Robert,

The next maintenance release is in assurance testing and will be published soon. Splunk releases are cumulative, meaning that future releases will contain fixes to vulnerabilities, new features and other bug fixes. Please bear with us while we ensure the new bits work as expected across multiple platforms and configurations.

0 Karma

robert_miller
Path Finder

Is there an ETA when this fix will be released?

0 Karma

piebob
Splunk Employee
Splunk Employee

hi lboyd, someone from our prodsec team will be by soon to respond to your question.

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Laser Bananas and Edge Hubs: Exploring Operational Technology (OT) Data Through a ...

  OT is a different environment to traditional IT and can have interesting challenges when interfacing the ...

Event Series: Mastering AI Tokenomics and Splunk Agent Observability

Beyond the Black Box: Correlating AI Performance and Tokenomics with Splunk Agent Observability   As ...

span_metrics: The OpenTelemetry-Idiomatic Way to See Inside Your Services

You open a trace in Splunk Observability Cloud and everything looks fine. One root span, order-pipeline, with ...