Problem Note 65358: SAS® Graph Builder contains a cross-site scripting vulnerability
Severity: Low
Description: An authenticated user can store a graph template containing malicious Javascript.
Potential Impact: If a user accesses the graph template directly (outside of SAS® Visual Analytics), the malicious Javascript is executed in the user's browser.
Click the Hot Fix tab in this note to access the hot fix for this issue.
Operating System and Release Information
SAS System | SAS Visual Analytics | Cloud Foundry | 8.5 | | Viya | |
Linux for x64 | 8.5 | | Viya | |
Microsoft® Windows® for x64 | 8.5 | | Viya | |
*
For software releases that are not yet generally available, the Fixed
Release is the software release in which the problem is planned to be
fixed.
Malicious script can be placed inside a graph template in a stored XML file. SAS Visual Analytics parses it safely, but direct access to the XML resource might result in script execution.
Type: | Problem Note |
Priority: | high |
Date Modified: | 2020-02-12 16:29:49 |
Date Created: | 2020-01-15 09:38:41 |