CVE-2024-36997: 
Splunk Enterprise vulnerability analysis and mitigation

A persistent cross-site scripting (XSS) vulnerability was discovered in Splunk Enterprise and Splunk Cloud Platform, identified as CVE-2024-36997. The vulnerability affects Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10, and Splunk Cloud Platform versions below 9.1.2312. This security issue was disclosed on July 1, 2024, and received a CVSS v3.1 score of 8.1 (HIGH) (Vendor Advisory).

The vulnerability allows an admin user to store and execute arbitrary JavaScript code in the browser context of another Splunk user through the conf-web/settings REST endpoint. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The attack vector is network-based with low attack complexity, requiring high privileges and user interaction, as indicated by the CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N (Vendor Advisory).

The vulnerability can lead to persistent cross-site scripting attacks where malicious JavaScript code can be executed in the browser context of other Splunk users. This could potentially result in unauthorized access to sensitive information and compromise of user sessions. The impact is particularly severe as it affects the confidentiality and integrity of data, though availability is not impacted (Vendor Advisory).

The primary mitigation is to upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, or 9.0.10 or higher. For Splunk Cloud Platform, Splunk is performing upgrades as part of Routine Maintenance. As a workaround, organizations can disable Splunk Web if it's not essential to operations. Splunk is actively monitoring for potential exploitation of this vulnerability (Vendor Advisory).