CVE-2025-20297: 
Splunk Enterprise vulnerability analysis and mitigation

A reflected Cross-Site Scripting (XSS) vulnerability was discovered in Splunk Enterprise and Splunk Cloud Platform, tracked as CVE-2025-20297. The vulnerability was disclosed on June 2, 2025, affecting multiple versions of Splunk Enterprise (below 9.4.2, 9.3.4, and 9.2.6) and Splunk Cloud Platform (below 9.3.2411.102, 9.3.2408.111, and 9.2.2406.118). The vulnerability resides in the dashboard PDF generation component of Splunk Web (Splunk Advisory).

The vulnerability exists in the pdfgen/render REST endpoint of Splunk Web, which is responsible for dashboard PDF generation. It has been assigned a CVSSv3.1 score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The flaw is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and requires only authenticated access with minimal privileges and no user interaction (Splunk Advisory, GBHackers).

When exploited, the vulnerability allows low-privileged users without 'admin' or 'power' roles to craft malicious payloads that can execute unauthorized JavaScript code in other users' browsers. This could potentially lead to session hijacking or sensitive data exfiltration through the PDF rendering process (GBHackers).

Organizations are advised to upgrade Splunk Enterprise to versions 9.4.2, 9.3.4, 9.2.6, or higher. For Splunk Cloud Platform, instances are being actively monitored and patched by Splunk. As a temporary workaround, organizations can disable Splunk Web through the web.conf configuration file, although this will impact dashboard and PDF functionality (Splunk Advisory).