SB2025111308 - Multiple vulnerabilities in Splunk Enterprise

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Open redirect (CVE-ID: CVE-2025-20378)

The vulnerability allows a remote attacker to redirect victims to arbitrary URL.

The vulnerability exists due to improper sanitization of user-supplied data passed via the "return_to" parameter of the Splunk Web login endpoint. A remote attacker can create a link that leads to a trusted website, however, when clicked, redirects the victim to arbitrary domain.

Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.

2) Improper access control (CVE-ID: CVE-2025-20379)

The vulnerability allows a remote user to gain access to sensitive information.

The vulnerability exists due to improper access restrictions at the "/services/streams/search" endpoint. A remote low-privileged user can run a saved search with a risky command using the permissions of a higher-privileged user to bypass the SPL safeguards for risky commands by circumventing endpoint restrictions using character encoding in the REST path passed via the "q" parameter to the affected endpoint.

Remediation

Install update from vendor's website.

References

• https://advisory.splunk.com/advisories/SVD-2025-1101
• https://advisory.splunk.com/advisories/SVD-2025-1102