Tableau Server Input Validation XSS

medium Nessus Plugin ID 170978

Synopsis

A Tableau Server instance installed on the remote host is affected by a XSS vulnerability.

Description

The version of Tableau running on the remote host is affected by an XSS vulnerability that could allow malicious actors to extract sensitive data from the application. An attacker could leverage the cross-site scripting vulnerability to conduct an attack against a user and gain access to sensitive information. It could also lead to account takeover using a malicious login page or vertical privilege escalation by sending requests to add a malicious user as administrator on the application.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade Tableau Server to 2020.4.16, 2021.1.13, 2021.2.10, 2021.3.9, 2021.4.5 or later

See Also

http://www.nessus.org/u?1e424519

Plugin Details

Severity: Medium

ID: 170978

File Name: tableau_server_xss_2022.nasl

Version: 1.0

Type: remote

Family: Misc.

Published: 2/3/2023

Updated: 2/3/2023

Supported Sensors: Nessus

Risk Information

CVSS Score Rationale: Score based on analysis of the vendor advisory.

CVSS v2

Risk Factor: High

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:P/A:N

CVSS Score Source: manual

CVSS v3

Risk Factor: Medium

Base Score: 6.3

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N

Vulnerability Information

CPE: cpe:/a:tableau:tableau_server

Required KB Items: installed_sw/Tableau Server

Patch Publication Date: 5/1/2022

Vulnerability Publication Date: 7/13/2022

Reference Information

IAVB: 2022-B-0053-S