VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 24, 2010· Updated Apr 29, 2026

CVE-2010-2429

CVE-2010-2429

Description

Cross-site scripting (XSS) vulnerability in Splunk 4.0 through 4.1.2, when Internet Explorer is used, allows remote attackers to inject arbitrary web script or HTML via the HTTP Referer in a "404 Not Found" response.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Splunk 4.0-4.1.2 reflects unescaped HTTP Referer in 404 pages, enabling XSS in Internet Explorer.

Vulnerability

Splunk versions 4.0 through 4.1.2 contain a cross-site scripting (XSS) vulnerability in the Splunk Web component [1]. When the server returns a “404 Not Found” response for a non-existent resource, it renders the contents of the HTTP Referer header without proper escaping [1]. This code path is only reachable when Internet Explorer is used, as Firefox escapes the special characters "< and > in the rendered link [1]. The vulnerability is present in all Splunk Web deployments; light forwarders with Splunk Web disabled are not affected [1].

Exploitation

An attacker can trick a Splunk user into visiting a specially crafted web page that sends a request to a vulnerable Splunk server with a malicious Referer header containing arbitrary HTML or JavaScript [1]. The attacker does not need authentication, but user interaction is required (the victim must navigate to the attacker-controlled page while using Internet Explorer). The XSS payload is then reflected in the 404 error page served to the victim [1].

Impact

Successful exploitation allows an attacker to inject arbitrary web script or HTML that executes in the context of the Splunk Web interface [1]. This can lead to session hijacking, phishing, or other malicious actions within the authenticated Splunk session. The impact depends on the privileges of the victim user; at a minimum, it results in unauthenticated information disclosure or UI manipulation [1].

Mitigation

Splunk released version 4.1.3 on 2010-06-07 to fix this vulnerability [1]. All instances running Splunk 4.0 through 4.1.2 should be upgraded to 4.1.3 or later [1]. As a workaround, Splunk recommends applying the Splunk Hardening Standards to reduce risk and impact [1].

References
  1. Cross-site Scripting in Splunk Web with 404 Responses in Internet Explorer

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

16
  • Splunk/Splunk16 versions
    cpe:2.3:a:splunk:splunk:4.0:*:*:*:*:*:*:*+ 15 more
    • cpe:2.3:a:splunk:splunk:4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:splunk:splunk:4.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:splunk:splunk:4.0.10:*:*:*:*:*:*:*
    • cpe:2.3:a:splunk:splunk:4.0.11:*:*:*:*:*:*:*
    • cpe:2.3:a:splunk:splunk:4.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:splunk:splunk:4.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:splunk:splunk:4.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:splunk:splunk:4.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:splunk:splunk:4.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:splunk:splunk:4.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:splunk:splunk:4.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:splunk:splunk:4.0.9:*:*:*:*:*:*:*
    • cpe:2.3:a:splunk:splunk:4.1:*:*:*:*:*:*:*
    • cpe:2.3:a:splunk:splunk:4.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:splunk:splunk:4.1.2:*:*:*:*:*:*:*
    • (no CPE)range: >=4.0, <=4.1.2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Splunk Web does not sanitize the HTTP Referer header before rendering it in a 404 Not Found response page, enabling cross-site scripting."

Attack vector

An attacker crafts a malicious web page that, when visited by a Splunk user running Internet Explorer, causes the browser to send a request to the Splunk server with a crafted HTTP Referer header containing JavaScript or HTML. The Splunk Web component [ref_id=1] reflects this unsanitized Referer value in the 404 Not Found response page, and Internet Explorer renders the injected script. The vulnerability is confirmed only in Internet Explorer because Firefox escapes the special characters ' " < > when rendering the link [ref_id=1]. The attack is network-exploitable with high complexity and requires no authentication [ref_id=1].

Affected code

The advisory [ref_id=1] identifies the Splunk Web component (the web server delivering the Splunk UI) as the affected code path. The vulnerability occurs when Splunk Web generates a 404 Not Found response and includes the unsanitized HTTP Referer header value in the output. No specific function or file names are provided in the bundle.

What the fix does

No patch diff is provided in the bundle. The advisory [ref_id=1] states that Splunk fixed this vulnerability in version 4.1.3 and recommends all vulnerable instances (Splunk 4.0 through 4.1.2) upgrade to that release. The advisory also recommends applying the Splunk Hardening Standards to mitigate risk [ref_id=1].

Preconditions

  • networkAttacker must be able to induce a Splunk user's Internet Explorer browser to send a request to the Splunk server with a crafted Referer header.
  • authNo authentication required; the 404 response is served to unauthenticated users.
  • inputThe HTTP Referer header must contain malicious HTML/JavaScript payload.

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.