CVE-2025-20385
Unknown
Unknown - Not Provided
BaseFortify
Publication date: 2025-12-03
Last updated on: 2025-12-05
Assigner: Cisco Systems, Inc.
Description
Description
In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.6, 10.0.2503.7, and 9.3.2411.117, a user who holds a role with a high privilege capability `admin_all_objects` could craft a malicious payload through the href attribute of an anchor tag within a collection in the navigation bar, which could result in execution of unauthorized JavaScript code in the browser of a user.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| splunk | splunk | From 9.2.0 (inc) to 9.2.10 (exc) |
| splunk | splunk | From 9.3.0 (inc) to 9.3.8 (exc) |
| splunk | splunk | From 9.4.0 (inc) to 9.4.6 (exc) |
| splunk | splunk | From 10.0.0 (inc) to 10.0.2 (exc) |
| splunk | splunk_cloud_platform | From 9.3.2411 (inc) to 9.3.2411.117 (exc) |
| splunk | splunk_cloud_platform | From 10.0.2503 (inc) to 10.0.2503.7 (exc) |
| splunk | splunk_cloud_platform | From 10.1.2507 (inc) to 10.1.2507.6 (exc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
