Key Highlights
Multiple critical vulnerabilities have been disclosed in Splunk Enterprise and Splunk Cloud Platform, affecting versions below 10.0.1, 9.4.4, 9.3.6, and 9.2.8. These include cross-site scripting (XSS), server-side request forgery (SSRF), denial of service (DoS), XML external entity (XXE) injection, and improper access control flaws. Exploitation of these vulnerabilities could lead to remote JavaScript execution, unauthorized access to sensitive data, and system disruption.

Impact
Successful exploitation may result in:
Compromise of other users’ sessions and exposure of sensitive data via XSS vulnerabilities.
Execution of REST API calls on behalf of high-privilege users via SSRF.
Denial of service through excessive LDAP bind requests or XXE injection.
Unauthorized access to sensitive search results by low-privileged users.
Details
CVE-2025-20367: Reflected XSS in /app/search/table endpoint via dataset.command parameter (CVSS 5.7).
CVE-2025-20368: Stored XSS in Saved Search and Job Inspector features (CVSS 5.7).
CVE-2025-20371: Unauthenticated blind SSRF via enableSplunkWebClientNetloc=true setting (CVSS 7.5).
CVE-2025-20370: DoS via multiple LDAP bind requests by users with change_authentication privilege (CVSS 4.9).
CVE-2025-20369: XXE injection triggered through the dashboard label field (CVSS 4.6).
CVE-2025-20366: Improper access control allowing sensitive search results access by guessing unique search job IDs (CVSS 6.5).
Exploitation Activity
XSS vulnerabilities can be exploited by low-privileged users to compromise other users’ sessions and access sensitive data. SSRF exploitation requires phishing to trick users into initiating requests. DoS attacks can be triggered by overwhelming the server with LDAP requests.

Mitigation Strategies
Organizations should upgrade to:
Splunk Enterprise: 10.0.1, 9.4.4, 9.3.6, 9.2.8 or higher.
Splunk Cloud Platform: Patches are managed automatically.
If immediate upgrades are not possible:
Disable Splunk Web to mitigate web-based vulnerabilities.
Set enableSplunkWebClientNetloc=false to reduce SSRF risk.
Remove high-privilege roles like change_authentication to prevent DoS.