Lucene search

CERT-PLCVELIST:CVE-2023-4932

HistoryDec 12, 2023 - 9:48 a.m.

CVE-2023-4932 Reflected Cross-Site Scripting in SAS 9.4

2023-12-1209:48:23

CWE-79

CERT-PL

www.cve.org

cve-2023-4932

reflected cross-site scripting

sas application

input validation

sasstoredprocess/do endpoint

javascript execution

authenticated user

low-privileged user

vulnerable versions

hot fixes

6.3 Medium

CVSS3

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L

0.001 Low

EPSS

Percentile

20.2%

JSON

SAS application is vulnerable to Reflected Cross-Site Scripting (XSS). Improper input validation in the _program parameter of the the /SASStoredProcess/do endpoint allows arbitrary JavaScript to be executed when specially crafted URL is opened by an authenticated user. The attack is possible from a low-privileged user. Only versions 9.4_M7 and 9.4_M8 were tested and confirmed to be vulnerable, status of others is unknown. For above mentioned versions hot fixes were published.

CNA Affected

[
  {
    "defaultStatus": "unknown",
    "product": "SAS Integration Technologies",
    "vendor": "SAS Institute",
    "versions": [
      {
        "changes": [
          {
            "at": "hot fix J2L022",
            "status": "unaffected"
          },
          {
            "at": "hot fix M2K006",
            "status": "unaffected"
          },
          {
            "at": "hot fix I9E018",
            "status": "unaffected"
          }
        ],
        "lessThanOrEqual": "9.4_M8",
        "status": "affected",
        "version": "9.4_M7",
        "versionType": "custom"
      }
    ]
  }
]

References

cert.pl/en/posts/2023/12/CVE-2023-4932/

cert.pl/posts/2023/12/CVE-2023-4932/

support.sas.com/kb/70/265.html