CVE-2025-20297: 
Splunk Enterprise vulnerability analysis and mitigation

A reflected Cross-Site Scripting (XSS) vulnerability was discovered in Splunk Enterprise and Splunk Cloud Platform, tracked as CVE-2025-20297. The vulnerability was disclosed on June 2, 2025, affecting multiple versions of Splunk Enterprise (below 9.4.2, 9.3.4, and 9.2.6) and Splunk Cloud Platform (below 9.3.2411.102, 9.3.2408.111, and 9.2.2406.118). The flaw exists in the dashboard PDF generation component of Splunk Web (Splunk Advisory, Wiz).

The vulnerability resides in the pdfgen/render REST endpoint of Splunk Web, which is responsible for dashboard PDF generation. It has been assigned a CVSSv3.1 score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The flaw is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and requires only authenticated access with minimal privileges and no user interaction (Splunk Advisory, GBHackers).

When exploited, the vulnerability allows low-privileged users without 'admin' or 'power' roles to craft malicious payloads that can execute unauthorized JavaScript code in other users' browsers. This could potentially lead to session hijacking or sensitive data exfiltration through the PDF rendering process (GBHackers).

Organizations are advised to upgrade Splunk Enterprise to versions 9.4.2, 9.3.4, 9.2.6, or higher. For Splunk Cloud Platform, instances are being actively monitored and patched by Splunk. As a temporary workaround, organizations can disable Splunk Web through the web.conf configuration file, although this will impact dashboard and PDF functionality (Splunk Advisory).

The vulnerability was discovered by Klevis Luli and reported to Splunk. While the CVSS score is moderate, security experts note that the risk is elevated by the low privilege requirements and the lack of required user interaction (GBHackers).