Severity: Medium


Summary: An authenticated attacker with the ability to upload or edit a workbook might be able to trigger a cross-site scripting (XSS) vulnerability in Tableau Server.  


Impact: Allows unauthorized disclosure and modification of information


Vulnerable Versions: Tableau Server 8.2 (through 8.2.20), 8.3 (through 8.3.15), 9.0 (through 9.0.18), 9.1 (through 9.1.14), 9.2 (through 9.2.13), 9.3 (through 9.3.8), 10.0 (through 10.0.2), 10.1 (through 10.1.0)


Conditions: The attacker must have permission to upload a workbook to Tableau Server and convince the victim to connect to it using a web browser.


Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:

Tableau Server 10.1.1
Tableau Server 10.0.3
Tableau Server 9.3.9
Tableau Server 9.2.14
Tableau Server 9.1.15
Tableau Server 9.0.19
Tableau Server 8.3.16
Tableau Server 8.2.21


Acknowledgement: This vulnerability was found internally