Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Splunk Patches Information Theft and XSS Flaws

Splunk last week released an update for Splunk Enterprise to address an information theft bug and a persistent Cross Site Scripting (XSS) vulnerability.

Splunk last week released an update for Splunk Enterprise to address an information theft bug and a persistent Cross Site Scripting (XSS) vulnerability.

Discovered last year by security researcher John Page (who goes by the online handle of hyp3rlinx), the information theft issue is tracked as CVE-2017-5607 and has been assessed a CVSS Base Score of 3.5. The vulnerability can be exploited by a remote attacker to siphon information from Splunk Enterprise when the user visits a malicious webpage.

In an advisory, the security researcher notes that an attacker exploiting this vulnerability could access data such as the currently logged in username and if remote user setting is enabled. With the username in hand, the attacker could either phish or brute force the Splunk Enterprise login.

The attacker can use JavaScript to exploit the issue, as the root cause of it is the global Window JS variable assignment of config?autoload=1 ‘$C’, the security researcher notes in his advisory.

“To steal information we simply can define a function to be called when the ‘$C’ JS property is ‘set’ on webpage, for example.

Object.defineProperty( Object.prototype, “$C”, { set:function(val){…

The Object prototype is an Object that every other object inherits from in JavaScript, if we create a setter on the name of our target in this case “$C”, we can get/steal the value of this data, in this case it is very easy as it is assigned to global Window namespace,” the researcher explains.

Advertisement. Scroll to continue reading.

Splunk has confirmed that affected Splunk Enterprise versions include 6.5.x before 6.5.3; 6.4.x before 6.4.6; 6.3.x before 6.3.10; 6.2.x before; 6.1.x before 6.1.13; 6.0.x before 6.0.14; 5.0.x before 5.0.18; and Splunk Light before 6.5.2.

The security researcher discovered the bug in November 2016 and reported it to Splunk the same month. He received acknowledgement of the bug a couple of days later, but the patch was released only last week. The researcher published not only details pertaining to the vulnerability, but also proof-of-concept JavaScript code and a video to demonstrate the flaw.

The second vulnerability addressed in Splunk Enterprise last week was a persistent Cross Site Scripting in Splunk Web, which was found to allow an attacker to inject and store arbitrary script, but only if they are authenticated in Splunk web before exploiting the bug. Assessed with a CVSS Base Score of 6.6, the flaw impacts Splunk Enterprise versions 6.5.x before 6.5.3; 6.4.x before 6.4.6; 6.3.x before 6.3.10; 6.2.x before 6.2.13; and Splunk Light before 6.5.2.

Related: Splunk Unveils New Threat Detection, Analytics Offerings

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.