CVE-2022-43568: 
Splunk Forwarder vulnerability analysis and mitigation

CVE-2022-43568 affects Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, where a View component allows for a Reflected Cross Site Scripting vulnerability via JavaScript Object Notation (JSON) in a query parameter when output_mode=radio. The vulnerability was disclosed on November 2, 2022, and received a CVSS v3.1 base score of 8.8 (High) from Splunk Inc (Splunk Advisory).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-site Scripting) and specifically affects instances with Splunk Web enabled. The attack vector is network-accessible (AV:N) with low attack complexity (AC:L), requires no privileges (PR:N), and needs user interaction (UI:R). The scope is unchanged (S:U) with high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H) (NVD, Splunk Advisory).

If exploited, this vulnerability could allow attackers to execute arbitrary JavaScript in the context of the user's browser, potentially leading to unauthorized actions, data theft, or further compromise of the affected Splunk instance (Splunk Research).

The primary mitigation is to upgrade Splunk Enterprise to versions 8.1.12, 8.2.9, 9.0.2, or higher. For systems that cannot be immediately updated, a workaround exists by disabling Splunk Web, though this may impact functionality. For Splunk Cloud Platform users, Splunk actively patches and monitors the cloud instances (CERT-EU, Splunk Advisory).