63526 - SAS® Studio contains cross-site scripting and HTML-injection vulnerabilities

Problem Note 63526: SAS® Studio contains cross-site scripting and HTML-injection vulnerabilities

Severity: Medium

Description: SAS Studio contains multiple cross-site scripting and HTML-injection vulnerabilities.

Potential Impact: Users can unknowingly execute malicious code that is injected into application responses.

Click the Hot Fix tab in this note to access the hot fix for this issue.

Operating System and Release Information

Product Family	Product	System	Product Release		SAS Release
Product Family	Product	System	Reported	Fixed*	Reported	Fixed*
SAS System	SAS Studio	Microsoft® Windows® for x64	3.7		9.4 TS1M5
		Microsoft Windows 8 Enterprise 32-bit	3.7		9.4 TS1M5
		Microsoft Windows 8 Enterprise x64	3.7		9.4 TS1M5
		Microsoft Windows 8 Pro 32-bit	3.7		9.4 TS1M5
		Microsoft Windows 8 Pro x64	3.7		9.4 TS1M5
		Microsoft Windows 8.1 Enterprise 32-bit	3.7		9.4 TS1M5
		Microsoft Windows 8.1 Enterprise x64	3.7		9.4 TS1M5
		Microsoft Windows 8.1 Pro 32-bit	3.7		9.4 TS1M5
		Microsoft Windows 8.1 Pro x64	3.7		9.4 TS1M5
		Microsoft Windows 10	3.7		9.4 TS1M5
		Microsoft Windows Server 2008	3.7		9.4 TS1M5
		Microsoft Windows Server 2008 R2	3.7		9.4 TS1M5
		Microsoft Windows Server 2008 for x64	3.7		9.4 TS1M5
		Microsoft Windows Server 2012 Datacenter	3.7		9.4 TS1M5
		Microsoft Windows Server 2012 R2 Datacenter	3.7		9.4 TS1M5
		Microsoft Windows Server 2012 R2 Std	3.7		9.4 TS1M5
		Microsoft Windows Server 2012 Std	3.7		9.4 TS1M5
		Microsoft Windows Server 2016	3.7		9.4 TS1M5
		Windows 7 Enterprise 32 bit	3.7		9.4 TS1M5
		Windows 7 Enterprise x64	3.7		9.4 TS1M5
		Windows 7 Home Premium 32 bit	3.7		9.4 TS1M5
		Windows 7 Home Premium x64	3.7		9.4 TS1M5
		Windows 7 Professional 32 bit	3.7		9.4 TS1M5
		Windows 7 Professional x64	3.7		9.4 TS1M5
		Windows 7 Ultimate 32 bit	3.7		9.4 TS1M5
		Windows 7 Ultimate x64	3.7		9.4 TS1M5
		64-bit Enabled AIX	3.7		9.4 TS1M5
		64-bit Enabled Solaris	3.7		9.4 TS1M5
		HP-UX IPF	3.7		9.4 TS1M5
		Linux for x64	3.7		9.4 TS1M5
		Solaris for x64	3.7		9.4 TS1M5

* For software releases that are not yet generally available, the Fixed Release is the software release in which the problem is planned to be fixed.

Viya on Linux: An update for this issue is available for SAS Viya 3.4. For instructions on how to access and apply software updates, see the Updating Your SAS Viya software section in the SAS Viya 3.4 for Linux Deployment Guide at

http://documentation.sas.com/?softwareId=administration&softwareVersion=3.4&softwareContextId=softwareUpdates

Viya on Windows: An update for this issue is available for SAS Viya 3.4. For instructions on how to access and apply software updates, see the Updating Your SAS Viya software section in the SAS Viya 3.4 for Windows Deployment Guide at

http://documentation.sas.com/?softwareId=administration&softwareVersion=3.4&softwareContextId=softwareUpdatesWin

An update for this issue is available for SAS Viya 3.4. For instructions on how to access and apply software updates, see the Updating Your SAS Viya software section in the SAS Viya 3.4 for Windows Deployment Guide at

http://documentation.sas.com/?softwareId=administration&softwareVersion=3.4&softwareContextId=softwareUpdatesWin

http://documentation.sas.com/?softwareId=administration&softwareVersion=3.4&softwareContextId=softwareUpdates

A fix for this issue for SAS Studio 3.8 is available at:

https://tshf.sas.com/techsup/download/hotfix/HF2/D8F.html#63526

A fix for this issue for SAS Studio 3.71 is available at:

https://tshf.sas.com/techsup/download/hotfix/HF2/C2L.html#63526

A fix for this issue for SAS Studio 3.7 is available at:

https://tshf.sas.com/techsup/download/hotfix/HF2/C7W.html#63526

Type:	Problem Note
Priority:	high

Date Modified:	2019-03-15 11:17:56
Date Created:	2019-01-22 11:19:12

Support

Problem Note 63526: SAS® Studio contains cross-site scripting and HTML-injection vulnerabilities

Operating System and Release Information