Severity: Medium

 

Summary: This vulnerability requires that a malicious user embeds specific parameters in a Tableau workbook. The malicious user must also have rights to publish the workbook on Tableau Server. The malicious user must then construct a specially crafted URL to enable arbitrary javascript to run in the victim's browser at run time.

 

Impact: When users open the modified workbook via the specially crafted URL, arbitrary javascript can run in their browser session.

 

Vulnerable Versions:  The following versions have this vulnerability:

Tableau Server 10.0 through 10.0.20

Tableau Server 10.1 through 10.1.19

Tableau Server 10.2 through 10.2.15

Tableau Server 10.3 through 10.3.14

Tableau Server 10.4 through 10.4.10

Tableau Server 10.5 through 10.5.7

Tableau Server 2018.1 through 2018.1.4

Tableau Server 2018.2 through 2018.2.1

Tableau Server on Linux 10.5 through 10.5.7

Tableau Server on Linux 2018.1 through 2018.1.4

Tableau Server on Linux 2018.2 through 2018.2.1

 

Resolution: The issue can be fixed by upgrading to the following version:

Tableau Server 10.0.21

Tableau Server 10.1.20

Tableau Server 10.2.16

Tableau Server 10.3.15

Tableau Server 10.4.11

Tableau Server 10.5.8

Tableau Server 2018.1.5

Tableau Server 2018.2.2

Tableau Server on Linux 10.5.8

Tableau Server on Linux 2018.1.5

Tableau Server on Linux 2018.2.2