CVE-2023-22940

MEDIUM Year: 2023
CVSS v3 Score
5.7
Medium
Weakness Type
CWE-20
View all →

Vulnerability Description

In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, aliases of the ‘collect’ search processing language (SPL) command, including ‘summaryindex’, ‘sumindex’, ‘stash’,’ mcollect’, and ‘meventcollect’, were not designated as safeguarded commands. The commands could potentially allow for the exposing of data to a summary index that unprivileged users could access. The vulnerability requires a higher privileged user to initiate a request within their browser, and only affects instances with Splunk Web enabled.

Related Vulnerabilities

CVE-2016-1156

MEDIUM
CVSS:5.7(Medium)

LINE 4.3.0.724 and earlier on Windows and 4.3.1 and earlier on OS X allows remote authenticated users to cause a denial of service (application crash) via a crafted post that is mishandled when displa...

CWE-202016

CVE-2016-5947

MEDIUM
CVSS:5.7(Medium)

IBM Spectrum Control (formerly Tivoli Storage Productivity Center) 5.2.x before 5.2.11 allows remote authenticated users to conduct clickjacking attacks via a crafted web site.

CWE-202016

CVE-2016-9719

MEDIUM
CVSS:5.7(Medium)

IBM InfoSphere Master Data Management Server 10.1. 11.0. 11.3, 11.4, 11.5, and 11.6 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicio...

CWE-202016

CVE-2017-17860

MEDIUM
CVSS:5.7(Medium)

In Samsung Gear products, Bluetooth link key is updated to the different key which is same with attacker's link key. It can be attacked without user's intention only if attacker can reveal the Bluetoo...

CWE-202017

CVE-2017-8969

MEDIUM
CVSS:5.7(Medium)

An improper input validation vulnerability in HPE Insight Control version 7.6 LR1 was found.

CWE-202017

CVE-2017-9773

MEDIUM
CVSS:5.7(Medium)

Denial of Service was found in Horde_Image 2.x before 2.5.0 via a crafted URL to the "Null" image driver.

CWE-202017