CVE-2023-4932

SAS application is vulnerable to Reflected Cross-Site Scripting (XSS). Improper input validation in the _program parameter of the the /SASStoredProcess/do endpoint allows arbitrary JavaScript to be executed when specially crafted URL is opened by an authenticated user. The attack is possible from a low-privileged user. Only versions 9.4_M7 and 9.4_M8 were tested and confirmed to be vulnerable, status of others is unknown. For above mentioned versions hot fixes were published.

Published: Dec 12, 2023
Updated: Dec 16, 2023
CVE: CVE-2023-4932
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.4
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
sas / integration_technologies	9.4-m8	9.4-m8.x
sas / integration_technologies	9.4-m7	9.4-m7.x

https://cert.pl/en/posts/2023/12/CVE-2023-4932/
https://cert.pl/posts/2023/12/CVE-2023-4932/
https://support.sas.com/kb/70/265.html

Vulnerability Database

CVE-2023-4932