Published: 2025-12-03 Overview CVE-2025-20387 is a high-severity vulnerability affecting Splunk Universal Forwarder for Windows versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10. This vulnerability arises from incorrect permissions being assigned to the Universal Forwarder installation directory during a new installation or upgrade process. This flaw allows non-administrator users on the affected machine to gain unauthorized access to the installation directory and its contents. Technical Details The root cause of CVE-2025-20387 lies in the installation or upgrade scripts of affected Splunk Universal Forwarder versions. These scripts incorrectly set the permissions on the installation directory, granting broader access than intended. This misconfiguration enables…
-
-
Overview CVE-2025-20386 is a high-severity vulnerability affecting Splunk Enterprise for Windows versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10. This vulnerability stems from incorrect permissions assignment during a new installation or upgrade, potentially granting unauthorized access to sensitive data and system resources to non-administrator users. Technical Details The vulnerability lies in the way Splunk Enterprise for Windows assigns permissions to the installation directory during the setup or upgrade process. In affected versions, the permissions granted inadvertently allow non-administrator users to access the Splunk Enterprise installation directory and all of its contents. This includes configuration files, logs, and potentially even executable files.…
-
Overview CVE-2025-20385 is a reported Cross-Site Scripting (XSS) vulnerability affecting Splunk Enterprise and Splunk Cloud Platform. Specifically, a user with the high-privilege `admin_all_objects` capability can inject malicious JavaScript code via a crafted payload within the `href` attribute of an anchor tag in the navigation bar. This code can then be executed in the browser of another user interacting with the same navigation bar. Technical Details The vulnerability lies in the way Splunk handles user-defined content within the navigation bar’s collections. A user possessing the `admin_all_objects` capability, which grants broad administrative privileges, can manipulate the `href` attribute of anchor tags within…
-
Overview CVE-2025-20384 is a medium-severity vulnerability affecting Splunk Enterprise and Splunk Cloud Platform. This security flaw allows an unauthenticated attacker to inject American National Standards Institute (ANSI) escape codes into Splunk log files. Due to improper validation at the /en-US/static/ web endpoint, specially crafted HTTP requests can be used to poison, forge, or obfuscate sensitive log data. This could significantly impact log integrity and detection capabilities, potentially masking malicious activity. Technical Details The vulnerability stems from insufficient input validation at the /en-US/static/ web endpoint in Splunk. This allows an attacker to send HTTP requests containing ANSI escape codes. These escape…
-
Overview CVE-2025-20383 is a medium-severity vulnerability affecting Splunk Enterprise and the Splunk Secure Gateway app in Splunk Cloud Platform. This flaw allows a low-privileged user, lacking “admin” or “power” roles, who subscribes to mobile push notifications to potentially receive sensitive information, namely the title and description of reports or alerts they shouldn’t have access to. This data exposure occurs because the push notifications are not properly checking user permissions before delivering alert details. Technical Details The vulnerability resides in the mobile push notification functionality of Splunk. When a report or alert is triggered and configured to send push notifications, the…
-
Overview This article provides a comprehensive overview of CVE-2025-20382, a low-severity unvalidated redirect vulnerability affecting Splunk Enterprise and Splunk Cloud Platform. This vulnerability could allow a low-privileged user to potentially redirect other users to a malicious external site via a specially crafted dashboard URL. It’s crucial to understand the details of this vulnerability and take appropriate mitigation steps to protect your Splunk environment. Technical Details CVE-2025-20382 exists due to insufficient validation of URLs used in custom dashboard backgrounds within Splunk. Specifically, a low-privileged user without “admin” or “power” roles can create a views dashboard with a custom background image using…
-
Overview CVE-2025-20381 is a medium severity vulnerability affecting Splunk MCP Server app versions below 0.2.4. This vulnerability allows a user with access to the “run_splunk_query” Model Context Protocol (MCP) tool to bypass the intended SPL command allowlist controls. By embedding SPL commands as sub-searches within their queries, attackers can execute unauthorized actions, potentially compromising the security and integrity of the Splunk environment. Technical Details The vulnerability stems from insufficient validation of SPL commands submitted through the “run_splunk_query” MCP tool. The MCP tool is designed to restrict users to a pre-defined set of allowed SPL commands. However, the validation mechanism fails…
-
Overview CVE-2025-13751 describes a local denial-of-service (DoS) vulnerability affecting the interactive service agent in OpenVPN versions 2.5.0 through 2.7_rc2 running on Windows. An authenticated local user can exploit this vulnerability to connect to the service and trigger an error, ultimately leading to a denial of service. Technical Details The vulnerability exists within the OpenVPN interactive service agent on Windows. A local, authenticated user can connect to this service and manipulate it in a way that triggers an unhandled exception or error condition. This error effectively crashes the service agent, leading to a local denial-of-service. The specific mechanism by which this…
-
Overview CVE-2025-13492 describes a potential security vulnerability identified in HP Image Assistant versions prior to 5.3.3. This vulnerability could potentially allow a local attacker to escalate their privileges via a race condition during package installation. It’s crucial for system administrators and users of HP Image Assistant to understand the implications and apply the necessary mitigations to protect their systems. Technical Details The vulnerability stems from a race condition that can occur during the installation of packages using HP Image Assistant. A local attacker with sufficient privileges to initiate package installations could potentially exploit this race condition to manipulate the installation…
-
Overview CVE-2024-32643 describes a high-severity vulnerability in Masa CMS, an open-source Enterprise Content Management platform. This vulnerability allows unauthorized users to bypass group restrictions and access restricted content by manipulating the URL to include a /tag/ declaration. Successful exploitation could lead to unauthorized access to sensitive information and potentially compromise the integrity of the CMS. This vulnerability affects Masa CMS versions prior to 7.2.8, 7.3.13, and 7.4.6. It has been addressed in versions 7.2.8, 7.3.13, and 7.4.6. Technical Details The vulnerability stems from insufficient input validation and access control mechanisms when handling URLs containing the /tag/ declaration. By appending /tag/…