Splunk 4.1.5 addresses XXE and CSRF issues
Splunk was really cool to coordinate with by being responsive, communicative, and open. I was really impressed with their professionalism.
About the bugs:
XXE bugs are fun. For a good example of how XXE bugs work, I'd point at the following advisory by Chris Evans:
Note that in the above bug the XXE existed on the client, allowing an attacker to access the client's local files. In this case the XXE occurs on the server side, so your external entity can point at a resource accessible to Spunk. (Steal files off the server.)
Their advisory is available at: