Problem Note 67728: Scalable Vector Graphic (SVG) images in SAS® Customer Intelligence Studio are affected by a security vulnerability
 |  |  |  |  |
Severity: Medium
Description: In SAS Customer Intelligence Studio, you can use a link to an external Scalable Vector Graphics (SVG) image. The external SVG image can contain malicious JavaScript code.
Potential Impact: Users might execute the malicious JavaScript code unknowingly.
Click the Hot Fix tab in this note to access the hot fix for this issue.
After you apply the hot fix, a new property named sas.ci.turnImageAttachmentsOff will be available. The new property can be added to the index.jsp file that resides in the SAS-configuration-directory\Lev1\Web\WebAppServer\SASServer6_1\sas_webapps\sas.customerintelligencestudio.war directory, as follows.
<sas-html:config-property name="sas.ci" value="{}" quote="false"/>
<sas-html:config-property name="sas.ci.turnAttachmentsOff" value="true"/>
<sas-html:config-property name="sas.ci.turnImageAttachmentsOff" value="true"/>
<sas-html:config-property name="sas.applicationSwitcher" value="{}" quote="false"/>
<sas-html:config-property name="sas.applicationSwitcher.hubServiceAvailable" value="<%= hubServiceAvailable %>" quote="false"/>
When you change the value to true, the Image section for both campaigns and treatments is hidden completely.
Operating System and Release Information
| Product Family | Product | System | Product Release | SAS Release | ||
| Reported | Fixed* | Reported | Fixed* | |||
| SAS System | SAS Customer Intelligence Studio | Microsoft® Windows® for x64 | 6.6 | |||
| Microsoft Windows 8 Enterprise 32-bit | 6.6 | |||||
| Microsoft Windows 8 Enterprise x64 | 6.6 | |||||
| Microsoft Windows 8 Pro 32-bit | 6.6 | |||||
| Microsoft Windows 8 Pro x64 | 6.6 | |||||
| Microsoft Windows 8.1 Enterprise 32-bit | 6.6 | |||||
| Microsoft Windows 8.1 Enterprise x64 | 6.6 | |||||
| Microsoft Windows 8.1 Pro 32-bit | 6.6 | |||||
| Microsoft Windows 8.1 Pro x64 | 6.6 | |||||
| Microsoft Windows 10 | 6.6 | |||||
| Microsoft Windows 95/98 | 6.6 | |||||
| Microsoft Windows 2000 Advanced Server | 6.6 | |||||
| Microsoft Windows 2000 Datacenter Server | 6.6 | |||||
| Microsoft Windows 2000 Server | 6.6 | |||||
| Microsoft Windows 2000 Professional | 6.6 | |||||
| Microsoft Windows NT Workstation | 6.6 | |||||
| Microsoft Windows Server 2003 Datacenter Edition | 6.6 | |||||
| Microsoft Windows Server 2003 Enterprise Edition | 6.6 | |||||
| Microsoft Windows Server 2003 Standard Edition | 6.6 | |||||
| Microsoft Windows Server 2003 for x64 | 6.6 | |||||
| Microsoft Windows Server 2008 | 6.6 | |||||
| Microsoft Windows Server 2008 R2 | 6.6 | |||||
| Microsoft Windows Server 2008 for x64 | 6.6 | |||||
| Microsoft Windows Server 2012 Datacenter | 6.6 | |||||
| Microsoft Windows Server 2012 R2 Datacenter | 6.6 | |||||
| Microsoft Windows Server 2012 R2 Std | 6.6 | |||||
| Microsoft Windows Server 2012 Std | 6.6 | |||||
| Microsoft Windows Server 2016 | 6.6 | |||||
| Microsoft Windows Server 2019 | 6.6 | |||||
| Microsoft Windows XP Professional | 6.6 | |||||
| Windows 7 Enterprise 32 bit | 6.6 | |||||
| Windows 7 Enterprise x64 | 6.6 | |||||
| Windows 7 Home Premium 32 bit | 6.6 | |||||
| Windows 7 Home Premium x64 | 6.6 | |||||
| Windows 7 Professional 32 bit | 6.6 | |||||
| Windows 7 Professional x64 | 6.6 | |||||
| Windows 7 Ultimate 32 bit | 6.6 | |||||
| Windows 7 Ultimate x64 | 6.6 | |||||
| Windows Millennium Edition (Me) | 6.6 | |||||
| Windows Vista | 6.6 | |||||
| Windows Vista for x64 | 6.6 | |||||
A fix for this issue for SAS Marketing Automation 6.6 is available at:
https://tshf.sas.com/techsup/download/hotfix/HF2/H8P.html#67728| Type: | Problem Note |
| Priority: | high |
| Date Modified: | 2021-07-13 16:07:22 |
| Date Created: | 2021-04-07 06:38:14 |