CNNVD-202512-378 Information
CNNVD ID
CNNVD-202512-378
Related CVE
- CNNVD Published: 2025-12-03
Description (Chinese)
Splunk Cloud Platform和Splunk Enterprise都是美国Splunk公司的产品。Splunk Cloud Platform是一个强大的数据收集、处理和分析服务。Splunk Enterprise是一套数据收集分析软件。 Splunk Cloud Platform和Splunk Enterprise存在跨站脚本漏洞,该漏洞源于高权限用户可通过锚标签href属性构造恶意有效载荷,可能导致执行未经授权的JavaScript代码。以下版本受到影响:Splunk Enterprise 10.0.2之前版本、9.4.6版本、9.3.8版本和9.2.10版本和Splunk Cloud Platform 10.1.2507.6之前版本、10.0.2503.7版本和9.3.2411.117之前版本。
Description (English)
Splunk Cloud Platform and Splunk Enterprise are products of the United States company Splunk. Splung Cloud Platform is a powerful data collection, processing and analysis service. Splung Enterprise is a data collection and analysis software. Splunk Cloud Platform and Splunk Enterprise have a cross-site script loophole, which stems from the fact that high-authorized users can construct a malicious payload through the href properties of the anchor tag, which may lead to the implementation of unauthorized JavaScript codes. The following versions were affected: Spronk Enterprise 10.0.2, version 9.4.6, version 9.3.8 and version 9.2.10 and Spronk Cloud Platform 10.1.25007.6, version 10.0203.7 and version 9.3.241.117.
Hazard Level
Critical
Vulnerability Type
跨站脚本
Affected Vendor
Splunk
Published
2025-12-03
Last Modified
2026-02-24
References
https://advisory.splunk.com/advisories/SVD-2025-1204 https://vigilance.fr/vulnerability/Splunk-Enterprise-Cross-Site-Scripting-via-Navigation-Bar-Collections-48968
Patch
https://www.splunk.com/en_us/products/splunk-enterprise.html
Share on: