Highest overall severity: High


Summary:

Tableau Server fails to properly sanitize certain strings when rendering a published workbook, which results in a cross-site scripting vulnerability. An authenticated user with publishing permissions may publish a workbook to Tableau Server which can trigger this vulnerability.


Impact:

When users open the modified workbook with a specially crafted URL, arbitrary JavaScript can run in the browser session.


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: High
CVSS3 Score: AV:N AC:L PR:L UI:R S:U C:H I:H A:H - 8.0 High


Vulnerable versions:

  • Tableau Server on Windows 10.1 through 10.1.23
  • Tableau Server on Windows 10.2 through 10.2.19
  • Tableau Server on Windows 10.3 through 10.3.19
  • Tableau Server on Windows 10.4 through 10.4.15
  • Tableau Server on Windows 10.5 through 10.5.14
  • Tableau Server on Windows 2018.1 through 2018.1.11
  • Tableau Server on Windows 2018.2 through 2018.2.8
  • Tableau Server on Windows 2018.3 through 2018.3.5

  • Tableau Server on Linux 10.5 through 10.5.14
  • Tableau Server on Linux 2018.1 through 2018.1.11
  • Tableau Server on Linux 2018.2 through 2018.2.8
  • Tableau Server on Linux 2018.3 through 2018.3.5


Resolved in versions:

  • Tableau Server on Windows 10.1.24
  • Tableau Server on Windows 10.2.20
  • Tableau Server on Windows 10.3.20
  • Tableau Server on Windows 10.4.16
  • Tableau Server on Windows 10.5.15
  • Tableau Server on Windows 2018.1.12
  • Tableau Server on Windows 2018.2.9
  • Tableau Server on Windows 2018.3.6

  • Tableau Server on Linux 10.5.15
  • Tableau Server on Linux 2018.1.12
  • Tableau Server on Linux 2018.2.9
  • Tableau Server on Linux 2018.3.6


Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Prep Builder (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.