VYPR

SAS Studio

by Sas

CVEs (3)

  • CVE-2024-48734HigOct 30, 2024
    risk 0.58cvss 8.8epss 0.01

    Unrestricted file upload in /SASStudio/SASStudio/sasexec/{sessionID}/{InternalPath} in SAS Studio 9.4 allows remote attacker to upload malicious files. NOTE: this is disputed by the vendor because file upload is allowed for authorized users.

  • CVE-2024-48733HigOct 30, 2024
    risk 0.58cvss 8.8epss 0.01

    SQL injection vulnerability in /SASStudio/sasexec/sessions/{sessionID}/sql in SAS Studio 9.4 allows remote attacker to execute arbitrary SQL commands via the POST body request. NOTE: this is disputed by the vendor because SQL statement execution is allowed for authorized users.

  • CVE-2024-48735HigOct 30, 2024
    risk 0.50cvss 7.7epss 0.01

    Directory Traversal in /SASStudio/sasexec/sessions/{sessionID}/workspace/{InternalPath} in SAS Studio 9.4 allows remote attacker to access internal files by manipulating default path during file download. NOTE: this is disputed by the vendor because these filesystem paths are…