Highest overall severity: Medium


Summary:

Tableau Server fails to properly validate the path that is presented on an embedded authentication redirect page.


Impact:

A Tableau Server user who clicks on a malicious link could initiate a reflected cross-site scripting (XSS) operation with JavaScript, which runs in the client context. Alternatively, a Tableau Server user who clicks on a malicious link could be redirected to an attacker-controlled location.

 

Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: Medium
CVSS3 Score: AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N - 4.3 Medium
Product Specific Notes: None.

Vulnerable versions:


Resolved in versions:

  • Tableau Server on Linux 2019.1.10
  • Tableau Server on Linux 2019.2.6
  • Tableau Server on Linux 2019.3.2

  • Tableau Server on Windows 2019.1.10
  • Tableau Server on Windows 2019.2.6
  • Tableau Server on Windows 2019.3.2

 

Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.

 

Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.