Vulnerabilities > Splunk

DATE CVE VULNERABILITY TITLE RISK
2020-01-23 CVE-2013-6773 Improper Privilege Management vulnerability in Splunk
Splunk 5.0.3 has an Unquoted Service Path in Windows for Universal Forwarder which can allow an attacker to escalate privileges
local
low complexity
splunk microsoft CWE-269
4.6
2020-01-23 CVE-2013-6772 Improper Restriction of Rendered UI Layers OR Frames vulnerability in Splunk
Splunk before 5.0.4 lacks X-Frame-Options which can allow Clickjacking
network
splunk CWE-1021
4.3
2019-08-05 CVE-2019-3800 Information Exposure vulnerability in multiple products
CF CLI version prior to v6.45.0 (bosh release version 1.16.0) writes the client id and secret to its config file when the user authenticates with --client-credentials flag.
2.1
2019-03-21 CVE-2019-5729 Improper Certificate Validation vulnerability in Splunk Software Development KIT
Splunk-SDK-Python before 1.6.6 does not properly verify untrusted TLS server certificates, which could result in man-in-the-middle attacks.
network
splunk CWE-295
6.8
2019-02-21 CVE-2019-5727 Cross-Site Scripting vulnerability in Splunk
Splunk Web in Splunk Enterprise 6.5.x before 6.5.5, 6.4.x before 6.4.9, 6.3.x before 6.3.12, 6.2.x before 6.2.14, 6.1.x before 6.1.14, and 6.0.x before 6.0.15 and Splunk Light before 6.6.0 has Persistent XSS, aka SPL-138827.
network
splunk CWE-79
3.5
2018-10-23 CVE-2018-7432 Improper Input Validation vulnerability in Splunk
Splunk Enterprise 6.2.x before 6.2.14, 6.3.x before 6.3.10, 6.4.x before 6.4.7, and 6.5.x before 6.5.3; and Splunk Light before 6.6.0 allow remote attackers to cause a denial of service via a crafted HTTP request.
network
low complexity
splunk CWE-20
5.0
2018-10-23 CVE-2018-7431 Path Traversal vulnerability in Splunk
Directory traversal vulnerability in the Splunk Django App in Splunk Enterprise 6.0.x before 6.0.14, 6.1.x before 6.1.13, 6.2.x before 6.2.14, 6.3.x before 6.3.10, 6.4.x before 6.4.6, and 6.5.x before 6.5.3; and Splunk Light before 6.6.0 allows remote authenticated users to read arbitrary files via unspecified vectors.
network
low complexity
splunk CWE-22
4.0
2018-10-23 CVE-2018-7429 Improper Input Validation vulnerability in Splunk
Splunkd in Splunk Enterprise 6.2.x before 6.2.14 6.3.x before 6.3.11, and 6.4.x before 6.4.8; and Splunk Light before 6.5.0 allow remote attackers to cause a denial of service via a malformed HTTP request.
network
low complexity
splunk CWE-20
5.0
2018-10-23 CVE-2018-7427 Cross-Site Scripting vulnerability in Splunk
Cross-site scripting (XSS) vulnerability in Splunk Web in Splunk Enterprise 6.0.x before 6.0.14, 6.1.x before 6.1.13, 6.2.x before 6.2.14, 6.3.x before 6.3.10, 6.4.x before 6.4.7, and 6.5.x before 6.5.3; and Splunk Light before 6.6.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
network
splunk CWE-79
4.3
2018-10-19 CVE-2017-18348 Incorrect Permission Assignment FOR Critical Resource vulnerability in Splunk
Splunk Enterprise 6.6.x, when configured to run as root but drop privileges to a specific non-root account, allows local users to gain privileges by leveraging access to that non-root account to modify $SPLUNK_HOME/etc/splunk-launch.conf and insert Trojan horse programs into $SPLUNK_HOME/bin, because the non-root setup instructions state that chown should be run across all of $SPLUNK_HOME to give non-root access.
local
splunk CWE-732
6.9