CVE-2024-45741: 
Splunk Enterprise vulnerability analysis and mitigation

CVE-2024-45741 is a persistent cross-site scripting (XSS) vulnerability affecting Splunk Enterprise versions below 9.2.3 and 9.1.6, and Splunk Cloud Platform versions below 9.2.2403.108 and 9.1.2312.205. The vulnerability was discovered and disclosed on October 14, 2024. This security flaw affects the Splunk Web component, specifically the '/manager/search/apps/local' endpoint (Splunk Advisory).

The vulnerability allows a low-privileged user without 'admin' or 'power' Splunk roles to create a malicious payload through a custom configuration file that exploits the 'api.uri' parameter from the '/manager/search/apps/local' endpoint in Splunk Web. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

When successfully exploited, this vulnerability can result in the execution of unauthorized JavaScript code in the browser of a user. This could potentially lead to unauthorized access to sensitive information or manipulation of the user's browser session (Splunk Advisory).

Splunk has released patches to address this vulnerability. Organizations are advised to upgrade Splunk Enterprise to versions 9.3.0, 9.2.3, 9.1.6, or higher. For Splunk Cloud Platform, Splunk is actively monitoring and patching affected instances. As a workaround, organizations can disable Splunk Web, as the vulnerability only affects instances with Splunk Web enabled (Splunk Advisory).