CVE-2016-4856

Vulnerability

Stored cross-site scripting (XSS) vulnerability in Splunk Web component of Splunk Enterprise and Splunk Light versions 6.3.x prior to 6.3.5 [1][2]. The vulnerability allows an attacker with administrator privileges to inject arbitrary web script or HTML via unspecified vectors [1]. This is a stored XSS (CWE-79) [1].

Exploitation

An attacker must have administrator-level access to the Splunk instance [1]. The attacker can inject malicious script through unspecified vectors in the Splunk Web interface. The script is stored and later executed in the browser of other users who view the affected page [1]. No user interaction beyond viewing the page is required for the victim.

Impact

Successful exploitation leads to execution of arbitrary script in the victim's browser within the context of the Splunk Web application [1]. This can result in disclosure of sensitive information, session hijacking, or other actions as the victim user. The CVSS v3 vector is AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, indicating low confidentiality and integrity impact but with scope change [1].

Mitigation

Upgrade to Splunk Enterprise 6.3.5 or later, or Splunk Light 6.3.5 or later [1][2]. These versions were released on 2016-06-06 [2]. Splunk also recommends applying hardening standards from the Securing Splunk documentation [2]. No workaround is provided; upgrading is the only solution.