CVE-2023-24724

03.04.2023, 22:15

A stored cross site scripting (XSS) vulnerability was discovered in the user management module of the SAS 9.4 Admin Console, due to insufficient validation and sanitization of data input into the user creation and editing form fields. The product name is SAS Web Administration interface (SASAdmin). For the product release, the reported version is 9.4_M2 and the fixed version is 9.4_M3. For the SAS release, the reported version is 9.4 TS1M2 and the fixed version is 9.4 TS1M3.

Cross-site Scripting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	5.4 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
mitre	CNA	---				---
CVE	ADP	---				---
CISA-ADP	ADP	5.4 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 62%

Vendor	Product	Version
sas	web_administration_interface	9.4:m2

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

https://medium.com/%40williamamorim256/stored-xss-vulnerability-discovered-in-sas-9-4-admin-console-5680e9e4062c

https://owasp.org/www-community/attacks/xss/

https://support.sas.com/kb/55/539.html

https://medium.com/%40williamamorim256/stored-xss-vulnerability-discovered-in-sas-9-4-admin-console-5680e9e4062c

https://owasp.org/www-community/attacks/xss/

https://support.sas.com/kb/55/539.html