4.6
CVE-2025-20369
- EPSS 0.03%
- Published 01.10.2025 17:15:40
- Last modified 02.10.2025 19:11:46
- Source psirt@cisco.com
- Teams watchlist Login
- Open Login
In Splunk Enterprise versions below 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.108, 9.3.2408.118 and 9.2.2406.123, a low privilege user that does not hold the "admin" or "power" Splunk roles could perform an extensible markup language (XML) external entity (XXE) injection through the dashboard tab label field. The XXE injection has the potential to cause denial of service (DoS) attacks.
Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
This information is available to logged-in users. Login
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
VendorSplunk
≫
Product
Splunk Enterprise
Version <
10.0.0
Version
10.0
Status
affected
Version <
9.4.4
Version
9.4
Status
affected
Version <
9.3.6
Version
9.3
Status
affected
Version <
9.2.8
Version
9.2
Status
affected
VendorSplunk
≫
Product
Splunk Cloud Platform
Version <
9.3.2411.108
Version
9.3.2411
Status
affected
Version <
9.3.2408.118
Version
9.3.2408
Status
affected
Version <
9.2.2406.123
Version
9.2.2406
Status
affected
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.03% | 0.083 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| psirt@cisco.com | 4.6 | 2.1 | 2.5 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L
|
CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.