65358 - SAS® Graph Builder contains a cross-site scripting vulnerability

Problem Note 65358: SAS® Graph Builder contains a cross-site scripting vulnerability

Severity: Low

Description: An authenticated user can store a graph template containing malicious Javascript.

Potential Impact: If a user accesses the graph template directly (outside of SAS® Visual Analytics), the malicious Javascript is executed in the user's browser.

Click the Hot Fix tab in this note to access the hot fix for this issue.

Operating System and Release Information

Product Family	Product	System	Product Release		SAS Release
Product Family	Product	System	Reported	Fixed*	Reported	Fixed*
SAS System	SAS Visual Analytics	Cloud Foundry	8.5		Viya
		Linux for x64	8.5		Viya
		Microsoft® Windows® for x64	8.5		Viya

* For software releases that are not yet generally available, the Fixed Release is the software release in which the problem is planned to be fixed.

Viya on Windows: An update for this issue is available for SAS Viya 3.4. For instructions on how to access and apply software updates, see the Updating Your SAS Viya software section in the SAS Viya 3.4 for Windows Deployment Guide at

http://documentation.sas.com/?softwareId=administration&softwareVersion=3.4&softwareContextId=softwareUpdatesWin

Viya on Linux: An update for this issue is available for SAS Viya 3.4. For instructions on how to access and apply software updates, see the Updating Your SAS Viya software section in the SAS Viya 3.4 for Linux Deployment Guide at

http://documentation.sas.com/?softwareId=administration&softwareVersion=3.4&softwareContextId=softwareUpdates

Viya on Windows: An update for this issue is available for SAS Viya 3.5. For instructions on how to access and apply software updates, see the Updating Your SAS Viya software section in the SAS Viya 3.5 for Windows Deployment Guide at

http://documentation.sas.com/?softwareId=administration&softwareVersion=3.5&softwareContextId=softwareUpdatesWin

Viya on Linux: An update for this issue is available for SAS Viya 3.5. For instructions on how to access and apply software updates, see the Updating Your SAS Viya software section in the SAS Viya 3.5 for Linux Deployment Guide at

http://documentation.sas.com/?softwareId=administration&softwareVersion=3.5&softwareContextId=softwareUpdates

Malicious script can be placed inside a graph template in a stored XML file. SAS Visual Analytics parses it safely, but direct access to the XML resource might result in script execution.

Type:	Problem Note
Priority:	high

Date Modified:	2020-02-12 16:29:49
Date Created:	2020-01-15 09:38:41

Support

Problem Note 65358: SAS® Graph Builder contains a cross-site scripting vulnerability

Operating System and Release Information