CVE-2022-43561: 
Splunk Forwarder vulnerability analysis and mitigation

CVE-2022-43561 is a persistent cross-site scripting (XSS) vulnerability discovered in Splunk Enterprise. The vulnerability affects versions below 8.1.12, 8.2.9, and 9.0.2 with Splunk Web enabled. It allows a remote user with the "power" Splunk role to store arbitrary scripts in the 'Save Table' dialog on the search page, potentially leading to persistent XSS attacks (Splunk Advisory).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and received a CVSS v3.1 Base Score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H. The vulnerability specifically targets the endpoint /en-US/splunkd/__raw/servicesNS/nobody/search/datamodel/model through POST requests containing potential XSS payloads (Splunk Research, NVD).

If successfully exploited, this vulnerability could enable attackers to execute arbitrary scripts in the context of the affected user, potentially leading to data theft, session hijacking, or further exploitation within the Splunk environment. The vulnerability only impacts instances with Splunk Web enabled (Splunk Research).

The primary mitigation is to upgrade Splunk Enterprise to versions 8.1.12, 8.2.9, 9.0.2, or higher. For distributed environments where users don't log into Splunk Web on indexers, it's recommended to disable Splunk Web on those indexers. For Splunk Cloud Platform, Splunk actively patches and monitors the cloud instances (Splunk Advisory).