Splunk Enterprise 5.0.x before 5.0.18, 6.0.x before 6.0.14, 6.1.x before 6.1.13, 6.2.x before 6.2.13.1, 6.3.x before 6.3.10, 6.4.x before 6.4.6, and 6.5.x before 6.5.3 and Splunk Light before 6.5.2 assigns the $C JS property to the global Window namespace, which might allow remote attackers to obtain sensitive logged-in username and version-related information via a crafted webpage.
hyp3rlinx.altervista.org/advisories/SPLUNK-ENTERPRISE-INFORMATION-THEFT.txt
seclists.org/fulldisclosure/2017/Mar/89
www.securityfocus.com/archive/1/540346/100/0/threaded
www.securityfocus.com/bid/97265
www.securityfocus.com/bid/97286
www.securitytracker.com/id/1038170
www.exploit-db.com/exploits/41779/
www.splunk.com/view/SP-CAAAPZ3#InformationLeakageviaJavaScriptCVE20175607