Vulnerabilities > Splunk > Splunk Cloud Platform > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-08-30 | CVE-2023-40592 | Cross-site Scripting vulnerability in Splunk and Splunk Cloud Platform In Splunk Enterprise versions below 9.1.1, 9.0.6, and 8.2.12, an attacker can craft a special web request that can result in reflected cross-site scripting (XSS) on the “/app/search/table” web endpoint. | 6.1 |
| 2023-06-01 | CVE-2023-32706 | XXE vulnerability in Splunk and Splunk Cloud Platform On Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, an unauthenticated attacker can send specially-crafted messages to the XML parser within SAML authentication to cause a denial of service in the Splunk daemon. | 6.5 |
| 2023-06-01 | CVE-2023-32709 | Unspecified vulnerability in Splunk and Splunk Cloud Platform In Splunk Enterprise versions below 9.0.5, 8.2.11. | 4.3 |
| 2023-06-01 | CVE-2023-32710 | Unspecified vulnerability in Splunk and Splunk Cloud Platform In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, and in Splunk Cloud Platform versions below 9.0.2303.100, a low-privileged user can perform an unauthorized transfer of data from a search using the ‘copyresults’ command if they know the search ID (SID) of a search job that has recently run. | 5.3 |
| 2023-06-01 | CVE-2023-32716 | Improper Check for Unusual or Exceptional Conditions vulnerability in Splunk and Splunk Cloud Platform In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, and Splunk Cloud Platform versions below 9.0.2303.100, an attacker can exploit a vulnerability in the {{dump}} SPL command to cause a denial of service by crashing the Splunk daemon. | 6.5 |
| 2023-06-01 | CVE-2023-32717 | Unspecified vulnerability in Splunk and Splunk Cloud Platform On Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, and in Splunk Cloud Platform versions below 9.0.2303.100, an unauthorized user can access the {{/services/indexing/preview}} REST endpoint to overwrite search results if they know the search ID (SID) of an existing search job. | 4.3 |
| 2023-02-14 | CVE-2023-22931 | Incorrect Default Permissions vulnerability in Splunk and Splunk Cloud Platform In Splunk Enterprise versions below 8.1.13 and 8.2.10, the ‘createrss’ external search command overwrites existing Resource Description Format Site Summary (RSS) feeds without verifying permissions. | 4.3 |
| 2023-02-14 | CVE-2023-22932 | Cross-site Scripting vulnerability in Splunk and Splunk Cloud Platform In Splunk Enterprise 9.0 versions before 9.0.4, a View allows for Cross-Site Scripting (XSS) through the error message in a Base64-encoded image. | 6.1 |
| 2023-02-14 | CVE-2023-22933 | Cross-site Scripting vulnerability in Splunk and Splunk Cloud Platform In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, a View allows for Cross-Site Scripting (XSS) in an extensible mark-up language (XML) View through the ‘layoutPanel’ attribute in the ‘module’ tag’. | 6.1 |
| 2023-02-14 | CVE-2023-22936 | Server-Side Request Forgery (SSRF) vulnerability in Splunk and Splunk Cloud Platform In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the ‘search_listener’ parameter in a search allows for a blind server-side request forgery (SSRF) by an authenticated user. | 6.3 |