Reflected XSS Vulnerability in Splunk Enterprise & Cloud Platform
Summary
Splunk has disclosed a medium-severity cross-site scripting (XSS) vulnerability affecting multiple versions of its Enterprise and Cloud Platform products that could allow low-privileged attackers to execute malicious JavaScript code in users’ browsers.
| OEM | Cisco |
| Severity | MEDIUM |
| CVSS Score | 4.3 |
| CVEs | CVE-2025-20297 |
| CWEs | CWE-79 |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
A security vulnerability identified as CVE-2025-20297 has been found in older versions of Splunk Enterprise and Splunk Cloud Platform.
This issue allows low privileged users to execute unauthorized JavaScript code in a victim’s browser using a specific Splunk feature that generates Pdf from dashboards.
Although the vulnerability is rated as Medium (CVSS 4.3) but it could be a significant risk in environments where Splunk Web is widely accessed by users.
The vulnerability specifically targets instances with Splunk Web enabled, which represents the majority of production deployments given the component’s central role in dashboard management and user interface functionality.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Reflected Cross Site Scripting | CVE-2025-20297 | Splunk Enterprise & Cloud | Medium | Check the remediation section. |
Technical Summary
The vulnerability lies in the pdfgen/render REST endpoint used to create dashboard PDFs. In vulnerable versions, a low \privileged user (not an admin or power user) can inject a malicious script via this endpoint.
If a legitimate user interacts with the resulting PDF or link, their browser may execute the injected script without their consent, this is working as reflected XSS.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-20297 | Splunk Enterprise & Cloud multiple versions | Low-privileged users can exploit the pdfgen/render endpoint to inject unauthorized JavaScript code into a victim’s browser. | Code Execution/Reflected xss. |
Remediation:
Splunk has released updates, that addressed the vulnerability:
- Splunk Enterprise: Upgrade to version 9.4.2, 9.3.4, 9.2.6, 9.1.9 or latest.
- Splunk Cloud Platform: Upgrade to version 9.3.2411.102, 9.3.2408.111, 9.2.2406.118 or latest.
If you cannot upgrade immediately, you can disable Splunk Web to prevent exploitation. For this you can review the web.conf configuration file and follow the Splunk guidance on disabling unnecessary components.
Disabling Splunk Web may impact users who rely on the web interface so consider access controls or network-based restrictions as temporary mitigations.
Conclusion:
While CVE-2025-20297 is rated as a medium severity vulnerability, it should not be ignored in the environments where many users interact with Splunk dashboards. Attackers with limited permissions could potentially target higher privileged users by modifying malicious links or payloads.
Organizations should prioritize upgrading Splunk to the fixed versions or implementing the workarounds immediately.
Even though this vulnerability requires some user interaction, the risks include unauthorized access to sensitive data through potential session hijacking.
While Splunk has not provided specific detection methods for this vulnerability, organizations should monitor access patterns to the pdfgen/render endpoint and review user privilege assignments to minimize potential exposure
This vulnerability poses a significant risk to organizations relying on Splunk’s data analytics platform for security monitoring and business intelligence operations.
References: