CVE-2023-4932

Name of the Vulnerable Software and Affected Versions SAS application versions 9.4 M7 through 9.4 M8

Description The SAS application is vulnerable to Reflected Cross-Site Scripting (XSS) due to improper input validation in the program parameter of the "/SASStoredProcess/do" endpoint. This allows arbitrary JavaScript to be executed when a specially crafted URL is opened by an authenticated user. The attack is possible from a low-privileged user.

Recommendations For versions 9.4 M7 and 9.4 M8, apply the published hot fixes to resolve the issue. As a temporary workaround, consider restricting access to the "/SASStoredProcess/do" endpoint until the hot fix is applied. Avoid using the program parameter in the affected endpoint until the issue is resolved.