Techniques
Sample rules
Persistent XSS in RapidDiag through User Interface Views
- source: splunk
- technicques:
- T1189
Description
In Splunk Enterprise 9.0 versions before 9.0.4, a View allows for Cross-Site Scripting through the error message in a Base64-encoded image. The vulnerability affects instances with Splunk Web enabled. It does not affect Splunk Enterprise versions below 9.0. This search provides information on what user may have potentially added a malicious payload and what users were exposed to it.
Detection logic
`audit_searches` path=/opt/splunk/etc/users/*/search/local/data/ui/views/* action=*
|table user action roles info roles path
| dedup user action
| `persistent_xss_in_rapiddiag_through_user_interface_views_filter`