XSS in dataviz.mozilla.org
Categories
(Data & BI Services Team :: BI: Tableau Administration, defect)
Tracking
(Not tracked)
People
(Reporter: bogus, Unassigned)
References
()
Details
(Keywords: reporter-external, sec-moderate, wsec-xss, Whiteboard: [reporter-external] [web-bounty-form] [verif?])
Attachments
(1 file)
42.02 KB,
image/png
|
Details |
PoC is below
https://dataviz.mozilla.org/en/embeddedAuthRedirect.html?auth=javascript:alert(document.domain)
When you open this URL, javascript is executed.
Comment 1•5 years ago
|
||
Hi Yuji, thanks for the report. I can replicate it.
Shraddha, this is a new vulnerability affecting Tableau: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19719. It looks like vendor will fix it in a future release. Can you please refer to this page: https://community.tableau.com/community/security-bulletins/blog/2019/11/19/important-adv-2019-047-open-redirect-on-embeddedauthredirect-page and update our Tableau instance? Thanks.
Updated•5 years ago
|
Comment 8•5 years ago
|
||
Note this affects the staging site https://dataviz.allizom.org as well (bug 1604138). I assume that will actually get fixed first given the way we roll things out, but thought I'd mention it in case that's an orphan.
Comment 10•5 years ago
|
||
The tableau bug has been assigned CVE-2019-19719 and the reason we're getting all these duplicates is because it's public and people are scanning for it. The tableau folks rate this "medium" so going with that.
Updated•5 years ago
|
Comment 12•5 years ago
|
||
Should we make this publicly visible, even though it isn't fixed? It might help with some of the duplicates that we're getting.
Comment 14•5 years ago
|
||
(In reply to April King [:April] from comment #12)
Should we make this publicly visible, even though it isn't fixed? It might help with some of the duplicates that we're getting.
It's not fixed on our end, but the Tableau people have fixed it. Assuming our server isn't lying we have Tableau Server Version: 2019.2.1 (20192.19.0621.1547)
and it's fixed in 2019.2.6
Can we assign this bug to someone who maintains those servers?
(un-hiding bug because you're right that the issue it totally public anyway)
Comment 15•5 years ago
|
||
Maybe changing the product/component will help.
Updated•5 years ago
|
Comment 17•5 years ago
|
||
We upgraded to 2019.4.1 at the end of last week which should have, and appears to have, fixed this.
Comment 18•5 years ago
|
||
This bug is eligible for our Hall of Fame. Reporter, how would you like to be credited as and linked as? Thanks!
Reporter | ||
Comment 20•5 years ago
|
||
Thank you! Please credit the name below
Name:Yuji Tounai
Link:https://twitter.com/yousukezan
Updated•4 years ago
|
Updated•5 months ago
|
Description
•