Description
In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could craft a malicious classic dashboard that exfiltrates sensitive data to an external server when a higher-privileged user views it, bypassing the external content restriction through a Cascading Style Sheets (CSS) injection.<br><br>The Trusted Domains security check does not fully validate inline style attribute values, which can allow for outbound requests to untrusted domains and credential exfiltration when a victim views a crafted dashboard.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Affected products
- Splunk / Splunk Cloud Platform9.3.2411 – 9.3.2411.132
- Splunk / Splunk Cloud Platform10.3.2512 – 10.3.2512.13
- Splunk / Splunk Cloud Platform10.2.2510 – 10.2.2510.15
- Splunk / Splunk Cloud Platform10.1.2507 – 10.1.2507.23
- Splunk / Splunk Enterprise10.2 – 10.2.4
- Splunk / Splunk Enterprise10.0 – 10.0.7
- Splunk / Splunk Enterprise9.4 – 9.4.12
- Splunk / Splunk Enterprise9.3 – 9.3.13
References
- VENDOR_ADVISORYhttps://advisory.splunk.com/advisories/SVD-2026-0604