CVE-2023-26961

Name of the Vulnerable Software and Affected Versions Alteryx Server version 2022.1.1.42590

Description The issue exists due to the lack of protection for the web page structure in Alteryx Server, allowing remote attackers to perform cross-site scripting (XSS) attacks via the type field using a PUT request to the "/gallery/api/media" endpoint. This vulnerability also enables attackers to upload arbitrary files, such as JavaScript content for stored XSS, by changing the file extension.

Recommendations For Alteryx Server version 2022.1.1.42590, consider disabling the ability to upload files via the "/gallery/api/media" endpoint until a patch is available. Restrict access to the type field in the JSON document within the PUT request to minimize the risk of exploitation. As a temporary workaround, implement file type verification for uploaded files to prevent attackers from uploading arbitrary files.