CVE-2025-20368: 
Splunk Enterprise vulnerability analysis and mitigation

A stored cross-site scripting (XSS) vulnerability was identified in Splunk Enterprise and Splunk Cloud Platform, tracked as CVE-2025-20368. The vulnerability affects Splunk Enterprise versions below 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.108, 9.3.2408.118 and 9.2.2406.123. The flaw allows low-privileged users without admin or power roles to craft malicious payloads through error messages and job inspection details of saved searches (Splunk Advisory, GBHackers).

The vulnerability is classified as a stored cross-site scripting (XSS) issue with a CVSS v3.1 base score of 5.7 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N. The flaw specifically targets the Splunk Web component and is identified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability requires low privilege access and user interaction to be exploited (Splunk Advisory).

A successful exploitation of this vulnerability could result in the execution of unauthorized JavaScript code in the browser of a user. This could potentially lead to unauthorized access to sensitive information or manipulation of user sessions (Splunk Advisory, GBHackers).

The primary mitigation is to upgrade Splunk Enterprise to versions 9.4.4, 9.3.6, 9.2.8, or higher. For Splunk Cloud Platform, Splunk is actively monitoring and patching instances automatically. As a workaround, organizations can disable Splunk Web, though this may impact functionality (Splunk Advisory).