Closed Bug 1603929 Opened 5 years ago Closed 5 years ago

XSS in dataviz.mozilla.org

Categories

(Data & BI Services Team :: BI: Tableau Administration, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: bogus, Unassigned)

References

()

Details

(Keywords: reporter-external, sec-moderate, wsec-xss, Whiteboard: [reporter-external] [web-bounty-form] [verif?])

Attachments

(1 file)

Attached image Screenshot
Flags: sec-bounty?

Hi Yuji, thanks for the report. I can replicate it.

Shraddha, this is a new vulnerability affecting Tableau: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19719. It looks like vendor will fix it in a future release. Can you please refer to this page: https://community.tableau.com/community/security-bulletins/blog/2019/11/19/important-adv-2019-047-open-redirect-on-embeddedauthredirect-page and update our Tableau instance? Thanks.

Flags: needinfo?(spatil)
Flags: needinfo?(spatil)

Note this affects the staging site https://dataviz.allizom.org as well (bug 1604138). I assume that will actually get fixed first given the way we roll things out, but thought I'd mention it in case that's an orphan.

The tableau bug has been assigned CVE-2019-19719 and the reason we're getting all these duplicates is because it's public and people are scanning for it. The tableau folks rate this "medium" so going with that.

https://community.tableau.com/community/security-bulletins/blog/2019/11/19/important-adv-2019-047-open-redirect-on-embeddedauthredirect-page

Status: UNCONFIRMED → NEW
Ever confirmed: true

Should we make this publicly visible, even though it isn't fixed? It might help with some of the duplicates that we're getting.

(In reply to April King [:April] from comment #12)

Should we make this publicly visible, even though it isn't fixed? It might help with some of the duplicates that we're getting.

It's not fixed on our end, but the Tableau people have fixed it. Assuming our server isn't lying we have Tableau Server Version: 2019.2.1 (20192.19.0621.1547) and it's fixed in 2019.2.6

Can we assign this bug to someone who maintains those servers?

(un-hiding bug because you're right that the issue it totally public anyway)

Group: websites-security
Type: task → defect
Flags: needinfo?(april)

Maybe changing the product/component will help.

Component: Other → BI: Tableau Administration
Product: Websites → Data & BI Services Team
QA Contact: spatil
Version: unspecified → other
Flags: needinfo?(april)

:gozer can you look into this?

Flags: needinfo?(gozer)

We upgraded to 2019.4.1 at the end of last week which should have, and appears to have, fixed this.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED

This bug is eligible for our Hall of Fame. Reporter, how would you like to be credited as and linked as? Thanks!

Flags: sec-bounty?
Flags: sec-bounty-hof+
Flags: sec-bounty-

Thank you! Please credit the name below

Name:Yuji Tounai
Link:https://twitter.com/yousukezan

Flags: needinfo?(gozer)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: