Summary: An authenticated attacker with the ability to upload or edit a workbook might be able to trigger a cross-site scripting (XSS) vulnerability in Tableau Server.
Impact: Allows unauthorized disclosure and modification of information
Vulnerable Versions: Tableau Server 8.2 (through 8.2.20), 8.3 (through 8.3.15), 9.0 (through 9.0.18), 9.1 (through 9.1.14), 9.2 (through 9.2.13), 9.3 (through 9.3.8), 10.0 (through 10.0.2), 10.1 (through 10.1.0)
Conditions: The attacker must have permission to upload a workbook to Tableau Server and convince the victim to connect to it using a web browser.
Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:
Tableau Server 10.1.1 Tableau Server 10.0.3 Tableau Server 9.3.9 Tableau Server 9.2.14 Tableau Server 9.1.15 Tableau Server 9.0.19 Tableau Server 8.3.16 Tableau Server 8.2.21
Acknowledgement: This vulnerability was found internally