Two moderate flaws were found in Splunk. An attacker may use them to launch XSS and CSRF attacks. Unspecified input data are not properly verified before being returned to a user. An attacker may exploit the flaw to execute arbitrary HTML and script code in context of visited website.
The application allows also to perform certain actions via HTTP requests without properly checking validity of requests. It is possible to exploit the vulnerability to launch arbitrary code when logged-in administrator visits malicious website.
The flaws are present in Splunk 4.2 to 4.2.4. Users should upgrade to version 4.2.5.

Source: Secunia
15.12.2011