CVSS: 9.0EPSS: 1%CPEs: 5EXPL: 0CVE-2024-36983 – Command Injection using External Lookups
https://notcve.org/view.php?id=CVE-2024-36983
01 Jul 2024 — In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.109 and 9.1.2308.207, an authenticated user could create an external lookup that calls a legacy internal function. The authenticated user could use this internal function to insert code into the Splunk platform installation directory. From there, the user could execute arbitrary code on the Splunk platform Instance. En las versiones de Splunk Enterprise inferiores a 9.2.2, 9.1.5 y 9.0.10 y en las v... • https://advisory.splunk.com/advisories/SVD-2024-0703 • CWE-75: Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2024-36994 – Persistent Cross-site Scripting (XSS) in Dashboard Elements
https://notcve.org/view.php?id=CVE-2024-36994
01 Jul 2024 — In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200 and 9.1.2308.207, a low-privileged user that does not hold the admin or power Splunk roles could craft a malicious payload through a View and Splunk Web Bulletin Messages that could result in execution of unauthorized JavaScript code in the browser of a user. En las versiones de Splunk Enterprise inferiores a 9.2.2, 9.1.5 y 9.0.10 y en las versiones de Splunk Cloud Platform inferiores a 9.1.231... • https://advisory.splunk.com/advisories/SVD-2024-0714 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •