CVE-2024-36992 MEDIUM

CVE-2024-36992: Persistent Cross-site Scripting (XSS) in Dashboard Elements

Vendor Splunk
Product Splunk Enterprise
Weakness CWE-79 · XSS
Published July 1, 2024
Last update February 28, 2025
View on NVD All CVEs

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200 and 9.1.2308.207, a low-privileged user that does not hold the admin or power Splunk roles could craft a malicious payload through a View that could result in execution of unauthorized JavaScript code in the browser of a user. The “url” parameter of the Dashboard element does not have proper input validation to reject invalid URLs, which could lead to a Persistent Cross-site Scripting (XSS) exploit.

Key dates

02Disclosure timeline

July 1, 2024 CVE published
February 28, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2023-43701 Apache Superset: Stored XSS on API endpoint CVE-2025-46343 n8n Vulnerable to Stored XSS through Attachments View Endpoint CVE-2022-43982 Apache Airflow prior to 2.4.2 allows reflected XSS via Origin Query Argument in URL CVE-2024-1236 Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 5.9.8 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2023-50307 IBM Sterling B2B Integrator cross-site scripting