Splunk XSS in Monitoring Console
An experimental detection analytic has been developed by the Splunk Threat Research team to identify attempts to exploit a reflective Cross-Site Scripting (XSS) vulnerability in the Splunk Distributed Monitoring Console app. This vulnerability, identified as CVE-2022-27183, could allow attackers to execute arbitrary scripts in the context of a user's browser, potentially leading to unauthorized actions or data theft. The analytic works by detecting suspicious GET requests in the splunkd_web logs within the _internal index. It is important to note that this detection is marked experimental and is not supported, meaning it has not been fully tested or simulated. The detection uses a Search Processing Language (SPL) query and macros to filter results, and it does not require new data ingestion. False positives may occur when the less-than sign is legitimately used in the description field of the monitoring console. The associated risk score for a potential XSS attempt is calculated using impact and confidence levels set by the author of the analytic. CVEs: CVE-2022-27183 [View Article](https://splunkresearch.com/application/b11accac-6fa3-4103-8a1a-7210f1a67087/)