CVE-2024-36993 – This CVE describes a cross-site scripting (XSS)... (How to Fix)

Q: What is the severity of CVE-2024-36993?

CVE-2024-36993 has a CVSS score of 5.4 (MEDIUM). This CVE describes a cross-site scripting (XSS) vulnerability in Splunk Enterprise and Splunk Cloud Platform where low-privileged users can inject malicious JavaScript through Bulletin Messages. The injected code executes in other users' browsers when they view the bulletin. Affected users include all Splunk administrators and users who access the web interface.

📋 TL;DR

This CVE describes a cross-site scripting (XSS) vulnerability in Splunk Enterprise and Splunk Cloud Platform where low-privileged users can inject malicious JavaScript through Bulletin Messages. The injected code executes in other users' browsers when they view the bulletin. Affected users include all Splunk administrators and users who access the web interface.

💻 Affected Systems

Products:

Splunk Enterprise
Splunk Cloud Platform

Versions: Splunk Enterprise: below 9.2.2, 9.1.5, and 9.0.10; Splunk Cloud Platform: below 9.1.2312.200 and 9.1.2308.207

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Requires low-privileged user account (non-admin, non-power role) to create malicious bulletin messages.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or compromise user accounts through client-side attacks.

🟠

Likely Case

Session hijacking, credential theft, or unauthorized actions performed in the context of other users' sessions.

🟢

If Mitigated

With proper input validation and output encoding, the malicious payload would be rendered harmless as text rather than executable code.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated low-privileged user access to create bulletin messages.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Splunk Enterprise: 9.2.2, 9.1.5, 9.0.10; Splunk Cloud Platform: 9.1.2312.200, 9.1.2308.207

Vendor Advisory: https://advisory.splunk.com/advisories/SVD-2024-0713

Restart Required: Yes

Instructions:

1. Backup your Splunk configuration. 2. Download appropriate patch version from Splunk downloads. 3. Stop Splunk services. 4. Apply the update. 5. Restart Splunk services. 6. Verify version and functionality.

🔧 Temporary Workarounds

Restrict Bulletin Message Creation

all

Limit ability to create bulletin messages to trusted administrators only

Implement Content Security Policy

all

Add CSP headers to restrict script execution from untrusted sources

🧯 If You Can't Patch

Restrict bulletin message creation to admin users only
Monitor and audit all bulletin message creation activities

🔍 How to Verify

Check if Vulnerable:

Check Splunk version via web interface or command line: splunk version

Check Version:

splunk version

Verify Fix Applied:

Verify version is at or above patched versions: splunk version

📡 Detection & Monitoring

Log Indicators:

Unusual bulletin message creation patterns
JavaScript payloads in bulletin messages
Multiple failed login attempts followed by bulletin creation

Network Indicators:

Unexpected outbound connections from Splunk web interface
Suspicious JavaScript loading in browser sessions

SIEM Query:

index=_internal source=*web_access.log | search "POST /services/messages/bulletin" | stats count by user

📊 Metadata

CVE ID: CVE-2024-36993

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: July 1, 2024

Last Updated: November 21, 2024

🔗 References

https://advisory.splunk.com/advisories/SVD-2024-0713 Vendor Advisory
https://research.splunk.com/application/fd852b27-1882-4505-9f2c-64dfb96f4fc1 Exploit,Vendor Advisory
https://advisory.splunk.com/advisories/SVD-2024-0713 Vendor Advisory
https://research.splunk.com/application/fd852b27-1882-4505-9f2c-64dfb96f4fc1 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-36993, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Splunk by Splunk

Splunk by Splunk

Splunk by Splunk

Splunk Cloud Platform by Splunk

Splunk Cloud Platform by Splunk

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict Bulletin Message Creation

Implement Content Security Policy

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities