Report an incident
Back
  • About us
  • News
  • For experts
Report an incident
About us
About our team Contact
Baza wiedzy
Fałszywe inwestycje Uważaj na fałszywe sklepy online (Nie)bezpieczne płatności Fałszywi konsultanci Zadbaj o bezpieczne hasła i logowanie Fałszywe załączniki w mailach Fałszywe prośby o szybki przelew Fałszywe SMSy - plaga ostatnich miesięcy
Biuletyn OUCH!
Porady bezpieczeństwa OUCH!
Projects
n6 Artemis MWDB
CVD program
CVD policy Advisories

Vulnerability in SAS 9.4 software
12 December 2023 | CERT Polska | #vulnerability, #warning, #cve
CVE ID CVE-2023-4932
Publication date 12 December 2023
Vendor SAS Institute
Product SAS
Vulnerable versions 9.4_M7 and 9.4_M8
Vulnerability type (CWE) Reflected XSS (CWE-79)
Report source Report to CERT Polska

Description

CERT Polska has received a report about a vulnerability in SAS 9.4 software and participated in coordination of its disclosure. The application is vulnerable to Reflected Cross-Site Scripting (XSS). Improper input validation in the "_program" parameter of the the "/SASStoredProcess/do" endpoint allows arbitrary JavaScript to be executed when specially crafted URL is opened by an authenticated user. The attack is possible from a low-privileged user.

The weakness has been assigned the number CVE-2023-4932. Only versions 9.4_M7 and 9.4_M8 were tested and confirmed to be vulnerable, status of previous ones is unknown. For above mentioned versions hot fixes were published.

Credits

We thank Sławomir Zakrzewski and Maksymilian Kubiak from AFINE team for the responsible vulnerability report.

More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.