CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2018-7432
https://notcve.org/view.php?id=CVE-2018-7432
Splunk Enterprise 6.2.x before 6.2.14, 6.3.x before 6.3.10, 6.4.x before 6.4.7, and 6.5.x before 6.5.3; and Splunk Light before 6.6.0 allow remote attackers to cause a denial of service via a crafted HTTP request. Splunk Enterprise en versiones 6.2.x anteriores a la 6.2.14, versiones 6.3.x anteriores a la 6.3.10, versiones 6.4.x anteriores a la 6.3.11 y versiones 6.5.x anteriores a la 6.5.3; y en Splunk Light en versiones anteriores a la 6.6.0 permite que atacantes remotos provoquen una denegación de servicio (DoS) mediante una petición HTTP manipulada. • https://www.splunk.com/view/SP-CAAAP5T • CWE-20: Improper Input Validation •
CVSS: 6.1EPSS: 0%CPEs: 7EXPL: 0CVE-2018-7427
https://notcve.org/view.php?id=CVE-2018-7427
Cross-site scripting (XSS) vulnerability in Splunk Web in Splunk Enterprise 6.0.x before 6.0.14, 6.1.x before 6.1.13, 6.2.x before 6.2.14, 6.3.x before 6.3.10, 6.4.x before 6.4.7, and 6.5.x before 6.5.3; and Splunk Light before 6.6.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad Cross-Site Scripting (XSS) en Splunk Web en Splunk Enterprise en versiones 6.0.x anteriores a la 6.0.14, versiones 6.1.x anteriores a la 6.1.13, versiones 6.2.x anteriores a la 6.2.14, versiones 6.3.x anteriores a la 6.3.10, versiones 6.4.x anteriores a la 6.4.7,y versiones 6.5.x anteriores a la 6.5.3; y en Splunk Light en versiones anteriores a la 6.6.0 permite que los atacantes remotos inyecten scripts web o HTML arbitrarios utilizando vectores no especificados. • https://www.splunk.com/view/SP-CAAAP5T • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 84%CPEs: 1EXPL: 2CVE-2018-11409 – Splunk < 7.0.1 - Information Disclosure
https://notcve.org/view.php?id=CVE-2018-11409
Splunk through 7.0.1 allows information disclosure by appending __raw/services/server/info/server-info?output_mode=json to a query, as demonstrated by discovering a license key. Splunk hasta la versión 7.0.1 permite la divulgación de información anexando __raw/services/server/info/server-info?output_mode=json en una consulta, tal y como queda demostrado con el descubrimiento de una clave de licencia. Splunk 6.2.3 through 7.0.1 allows information disclosure by appending /__raw/services/server/info/server-info? • https://www.exploit-db.com/exploits/44865 http://www.securitytracker.com/id/1041148 https://github.com/kofa2002/splunk • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.8EPSS: 0%CPEs: 59EXPL: 0CVE-2016-4858
https://notcve.org/view.php?id=CVE-2016-4858
Cross-site scripting vulnerability in Splunk Enterprise 6.4.x prior to 6.4.2, Splunk Enterprise 6.3.x prior to 6.3.6, Splunk Enterprise 6.2.x prior to 6.2.10, Splunk Enterprise 6.1.x prior to 6.1.11, Splunk Enterprise 6.0.x prior to 6.0.12, Splunk Enterprise 5.0.x prior to 5.0.16 and Splunk Light prior to 6.4.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de Cross-site scripting en Splunk Enterprise versiones 6.4.x anteriores a la 6.4.2, Splunk Enterprise versiones 6.3.x anteriores a la 6.3.6, Splunk Enterprise versiones 6.2.x anteriores a la 6.2.10, Splunk Enterprise versiones 6.1.x anteriores a la 6.1.11, Splunk Enterprise versiones 6.0.x anteriores a la 6.0.12, Splunk Enterprise versiones 5.0.x anteriores a la 5.0.16 y Splunk Light versiones anteriores a la 6.4.2, que permitiría a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores no especificados. • https://jvn.jp/en/jp/JVN71462075/index.html https://www.splunk.com/view/SP-CAAAPN9 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 20EXPL: 0CVE-2016-4857
https://notcve.org/view.php?id=CVE-2016-4857
Open redirect vulnerability in Splunk Enterprise 6.4.x prior to 6.4.2, Splunk Enterprise 6.3.x prior to 6.3.6, Splunk Enterprise 6.2.x prior to 6.2.11 and Splunk Light prior to 6.4.2 allows to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. Vulnerabilidad de redirección abierta en Splunk Enterprise versiones 6.4.x anteriores a la 6.4.2, Splunk Enterprise versiones 6.3.x anteriores a la 6.3.6, Splunk Enterprise versiones 6.2.x anteriores a la 6.2.11 y Splunk Light anteriores a la 6.4.2, que permitiría la redirección de usuarios a sitios web arbitrarios y realizar ataques de phishing a través de vectores no especificados. • https://jvn.jp/en/jp/JVN39926655/index.html https://www.splunk.com/view/SP-CAAAPQM • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •