Highest overall severity: Low

 

Summary:

The API used to update a user's profile image does not protect the user from cross-site request forgery.

 

Impact:

An attacker who is able to persuade a victim to visit a malicious website can change the victim's profile picture on Tableau Server.

 

Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.

 

Tableau Server

Severity: Low
CVSS3 Score: AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N - 3.7 Low
Product Specific Notes: None.

Vulnerable versions:

  • Tableau Server on Linux 10.5 through 10.5.20
  • Tableau Server on Linux 2018.1 through 2018.1.17
  • Tableau Server on Linux 2018.2 through 2018.2.14
  • Tableau Server on Linux 2018.3 through 2018.3.11
  • Tableau Server on Linux 2019.1 through 2019.1.8
  • Tableau Server on Linux 2019.2 through 2019.2.4
  • Tableau Server on Linux 2019.3 through 2019.3.0

  • Tableau Server on Windows 10.5 through 10.5.20
  • Tableau Server on Windows 2018.1 through 2018.1.17
  • Tableau Server on Windows 2018.2 through 2018.2.14
  • Tableau Server on Windows 2018.3 through 2018.3.11
  • Tableau Server on Windows 2019.1 through 2019.1.8
  • Tableau Server on Windows 2019.2 through 2019.2.4
  • Tableau Server on Windows 2019.3 through 2019.3.0

Resolved in versions:

  • Tableau Server on Linux 10.5.21
  • Tableau Server on Linux 2018.1.18
  • Tableau Server on Linux 2018.2.15
  • Tableau Server on Linux 2018.3.12
  • Tableau Server on Linux 2019.1.9
  • Tableau Server on Linux 2019.2.5
  • Tableau Server on Linux 2019.3.1

  • Tableau Server on Windows 10.5.21
  • Tableau Server on Windows 2018.1.18
  • Tableau Server on Windows 2018.2.15
  • Tableau Server on Windows 2018.3.12
  • Tableau Server on Windows 2019.1.9
  • Tableau Server on Windows 2019.2.5
  • Tableau Server on Windows 2019.3.1

 

Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.