4.8
CVE-2025-20385
- EPSS 0.03%
- Veröffentlicht 03.12.2025 17:00:29
- Zuletzt bearbeitet 05.12.2025 18:13:10
- Quelle psirt@cisco.com
- CVE-Watchlists
- Unerledigt
Stored Cross-Site scripting (XSS) through Anchor Tag "href" in Navigation Bar Collections in Splunk Enterprise
In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.6, 10.0.2503.7, and 9.3.2411.117, a user who holds a role with a high privilege capability `admin_all_objects` could craft a malicious payload through the href attribute of an anchor tag within a collection in the navigation bar, which could result in execution of unauthorized JavaScript code in the browser of a user.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Splunk ≫ Splunk Cloud Platform Version >= 9.3.2411 < 9.3.2411.117
Splunk ≫ Splunk Cloud Platform Version >= 10.0.2503 < 10.0.2503.7
Splunk ≫ Splunk Cloud Platform Version >= 10.1.2507 < 10.1.2507.6
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.03% | 0.082 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 4.8 | 1.7 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
|
| psirt@cisco.com | 2.4 | 0.9 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.