Severity: Medium

 

Summary: An API call that is used to retrieve a user image on Tableau Server lacks an access control check resulting in the possibility for an authenticated user to obtain the image of a user on another site. 

 

Impact: This vulnerability allows an authenticated user to obtain the image of a user on another site. 

 

Vulnerable Versions: The following versions of Tableau Server are vulnerable

Tableau Server: 10.1 through 10.1.12
Tableau Server: 10.2 through 10.2.7
Tableau Server: 10.3 through 10.3.5
Tableau Server: 10.4 through 10.4.1
Tableau Server: 10.5 through 10.5.0

 

Resolution:  The issue can be fixed by upgrading to the following version:

Tableau Server: 10.1.13
Tableau Server: 10.2.8
Tableau Server: 10.3.7
Tableau Server: 10.4.3
Tableau Server: 10.5.1