Lucene search

[email protected]CVE-2023-24724

HistoryApr 03, 2023 - 10:15 p.m.

CVE-2023-24724

2023-04-0322:15:07

CWE-79

[email protected]

web.nvd.nist.gov

cve-2023-24724

sas 9.4

admin console

xss vulnerability

user management

sasadmin

nvd

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

39.8%

JSON

A stored cross site scripting (XSS) vulnerability was discovered in the user management module of the SAS 9.4 Admin Console, due to insufficient validation and sanitization of data input into the user creation and editing form fields. The product name is SAS Web Administration interface (SASAdmin). For the product release, the reported version is 9.4_M2 and the fixed version is 9.4_M3. For the SAS release, the reported version is 9.4 TS1M2 and the fixed version is 9.4 TS1M3.

Affected configurations

NVD

Node

sasweb_administration_interfaceMatch9.4m2

CPENameOperatorVersion
sas:web_administration_interfacesas web administration interfaceeq9.4

CPE	Name	Operator	Version
sas:web_administration_interface	sas web administration interface	eq	9.4

References

medium.com/%40williamamorim256/stored-xss-vulnerability-discovered-in-sas-9-4-admin-console-5680e9e4062c

owasp.org/www-community/attacks/xss/

support.sas.com/kb/55/539.html