Stored XSS Vulnerability Discovered in SAS 9.4 Admin Console — CVE -2023–24724

Abstract: In this article, we discuss a recently discovered stored Cross-Site Scripting (XSS) vulnerability in the SAS 9.4 Admin Console, a popular business analytics and intelligence platform. This vulnerability allows an attacker to inject and execute malicious scripts in the victim’s browser, compromising data security and system integrity.

Figue — Inserting payload

Figure — XSS stored successfully

Introduction: SAS 9.4 is an advanced analytics and business intelligence platform used by companies worldwide for data-driven decision-making. Like any software, it is crucial to ensure the security and integrity of the data processed and stored. We have recently discovered a stored XSS vulnerability in the SAS 9.4 Admin Console, which can be exploited by attackers to compromise user and data security.

Vulnerability Details: The stored XSS vulnerability was identified in the user management module of the SAS 9.4 Admin Console. Specifically, the vulnerability occurs due to insufficient validation and sanitization of data input into the user creation and editing form fields.

An attacker can exploit this vulnerability by injecting a malicious script into one of the form fields, such as first name, last name, or user description. Once the form is saved, the malicious script is stored in the database and will be executed in the browser of any user who views the affected page in the Admin Console.

Impact: Successful exploitation of this vulnerability allows an attacker to:

1. Steal sensitive information, such as user sessions and credentials.
2. Manipulate the Admin Console interface to display incorrect or misleading information.
3. Perform unwanted actions on behalf of the affected user, such as deleting or modifying data.
4. Spread infection to other system users.

Mitigation and Recommendations: To mitigate this vulnerability, SAS 9.4 administrators should:

1. Update to the latest software version, if available, which includes security patches.
2. Implement additional security measures, such as Content Security Policy (CSP) to limit the execution of scripts from unknown sources.
3. Adopt secure development practices, including proper validation and sanitization of user input data.

Conclusion: The discovery of this stored XSS vulnerability in the SAS 9.4 Admin Console highlights the importance of security and secure development practices in maintaining data integrity and protecting user information. We recommend that SAS administrators follow the mitigation measures mentioned and stay up-to-date on the latest security updates.