Problem Note 55539: The SAS® 9.4 Web Administration interface contains a cross-site scripting vulnerability.
Severity: Medium
Description: The notification-template functionality of the SAS Web Administration interface (SASAdmin) contains a cross-site scripting vulnerability.
Potential Impact: Users might unknowingly execute malicious code.
Solution: A temporary workaround is available for this issue. To disable the affected functionality:
- Remove the SASTemplateEditor.xml file from the following directory:
SAS-configuration-directory/LevN/Web/WebAppServer/SASServer1_1/conf/Catalina/localhost
- Restart the SAS® Web Application Server.
These steps leave the majority of the SASAdmin web application functional while only disabling the functionality that is related to notifications.
Click the Hot Fix tab in this note to access the hot fix for this issue.
Operating System and Release Information
SAS System | SAS Web Infrastructure Platform | Microsoft® Windows® for x64 | 9.4_M2 | 9.4_M3 | 9.4 TS1M2 | 9.4 TS1M3 |
64-bit Enabled AIX | 9.4_M2 | 9.4_M3 | 9.4 TS1M2 | 9.4 TS1M3 |
64-bit Enabled Solaris | 9.4_M2 | 9.4_M3 | 9.4 TS1M2 | 9.4 TS1M3 |
HP-UX IPF | 9.4_M2 | 9.4_M3 | 9.4 TS1M2 | 9.4 TS1M3 |
Linux for x64 | 9.4_M2 | 9.4_M3 | 9.4 TS1M2 | 9.4 TS1M3 |
Solaris for x64 | 9.4_M2 | 9.4_M3 | 9.4 TS1M2 | 9.4 TS1M3 |
*
For software releases that are not yet generally available, the Fixed
Release is the software release in which the problem is planned to be
fixed.
Type: | Problem Note |
Priority: | high |
Date Modified: | 2015-04-15 08:31:26 |
Date Created: | 2015-04-10 11:37:49 |