Severity: Medium

 

Summary: This vulnerability requires that a malicious user embeds specific parameters in a Tableau workbook. The malicious user must also have rights to publish the workbook on Tableau Server. The malicious user must then construct a specially crafted URL to enable arbitrary javascript to run in the victim's browser at run time.

 

Impact: When users open the modified workbook via the specially crafted URL, arbitrary javascript can run in their browser session.

 

Vulnerable Versions: Tableau Server 10.1 (through 10.1.7), 10.2 (through 10.2.1).

 

Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:

Tableau Server: 10.1.8

Tableau Server: 10.2.2