Severity: Medium


Summary: This vulnerability requires that a malicious user embeds specific parameters in a Tableau workbook. The malicious user must also have rights to publish the workbook on Tableau Server. The malicious user must then construct a specially crafted URL to enable arbitrary javascript to run in the victim's browser at run time.


Impact: When users open the modified workbook via the specially crafted URL, arbitrary javascript can run in their browser session.


Vulnerable Versions: Tableau Server 10.1 (through 10.1.7), 10.2 (through 10.2.1).


Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:

Tableau Server: 10.1.8

Tableau Server: 10.2.2