Report an incident
Report an incident

Vulnerability in SAS 9.4 software
12 December 2023 | CERT Polska | #vulnerability, #warning, #cve
CVE ID CVE-2023-4932
Publication date 12 December 2023
Vendor SAS Institute
Product SAS
Vulnerable versions 9.4_M7 and 9.4_M8
Vulnerability type (CWE) Reflected XSS (CWE-79)
Report source Report to CERT Polska


CERT Polska has received a report about a vulnerability in SAS 9.4 software and participated in coordination of its disclosure. The application is vulnerable to Reflected Cross-Site Scripting (XSS). Improper input validation in the "_program" parameter of the the "/SASStoredProcess/do" endpoint allows arbitrary JavaScript to be executed when specially crafted URL is opened by an authenticated user. The attack is possible from a low-privileged user.

The weakness has been assigned the number CVE-2023-4932. Only versions 9.4_M7 and 9.4_M8 were tested and confirmed to be vulnerable, status of previous ones is unknown. For above mentioned versions hot fixes were published.


We thank Sławomir Zakrzewski and Maksymilian Kubiak from AFINE team for the responsible vulnerability report.

More about the coordinated vulnerability disclosure process at CERT Polska can be found at