Unrated severityNVD Advisory· Published Dec 12, 2023· Updated Aug 2, 2024

Reflected Cross-Site Scripting in SAS 9.4

CVE-2023-4932

Description

SAS application is vulnerable to Reflected Cross-Site Scripting (XSS). Improper input validation in the _program parameter of the the /SASStoredProcess/do endpoint allows arbitrary JavaScript to be executed when specially crafted URL is opened by an authenticated user. The attack is possible from a low-privileged user. Only versions 9.4_M7 and 9.4_M8 were tested and confirmed to be vulnerable, status of others is unknown. For above mentioned versions hot fixes were published.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

Ninja Kiwi/Sas\llm-fuzzy
Range: 9.4_M7, 9.4_M8
SAS Institute/SAS Integration Technologiesv5
Range: 9.4_M7

Patches

Vulnerability mechanics

References

cert.pl/en/posts/2023/12/CVE-2023-4932/mitrethird-party-advisory
cert.pl/posts/2023/12/CVE-2023-4932/mitrethird-party-advisory
support.sas.com/kb/70/265.htmlmitrevendor-advisorypatch

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000