5.7
CVE-2025-20368
- EPSS 0.05%
- Veröffentlicht 01.10.2025 17:15:39
- Zuletzt bearbeitet 08.10.2025 20:22:57
- Quelle psirt@cisco.com
- CVE-Watchlists
- Unerledigt
Stored Cross-Site Scripting (XSS) through missing field warning messages in Saved Search and Job Inspector on Splunk Enterprise
In Splunk Enterprise versions below 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.108, 9.3.2408.118 and 9.2.2406.123, a low privileged user that does not hold the admin or power Splunk roles could craft a malicious payload through the error messages and job inspection details of a saved search. This could result in execution of unauthorized JavaScript code in the browser of a user.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Splunk ≫ Splunk Cloud Platform Version >= 9.2.2406 < 9.2.2406.123
Splunk ≫ Splunk Cloud Platform Version >= 9.3.2408 < 9.3.2408.118
Splunk ≫ Splunk Cloud Platform Version >= 9.3.2411 < 9.3.2411.108
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.05% | 0.14 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.4 | 2.3 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
|
| psirt@cisco.com | 5.7 | 2.1 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.