CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2020-9350
https://notcve.org/view.php?id=CVE-2020-9350
23 Feb 2020 — Graph Builder in SAS Visual Analytics 8.5 allows XSS via a graph template that is accessed directly. Graph Builder en SAS Visual Analytics versión 8.5, permite un XSS por medio de una plantilla de gráfico que es accedida directamente. • http://support.sas.com/kb/65/358.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 21EXPL: 2CVE-2019-14678
https://notcve.org/view.php?id=CVE-2019-14678
14 Nov 2019 — SAS XML Mapper 9.45 has an XML External Entity (XXE) vulnerability that can be leveraged by malicious attackers in multiple ways. Examples are Local File Reading, Out Of Band File Exfiltration, Server Side Request Forgery, and/or Potential Denial of Service attacks. This vulnerability also affects the XMLV2 LIBNAME engine when the AUTOMAP option is used. SAS XML Mapper versión 9.45, tiene una vulnerabilidad de tipo XML External Entity (XXE) que los atacantes maliciosos pueden aprovechar en múltiples maneras... • https://github.com/mbadanoiu/CVE-2019-14678 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2007-6763
https://notcve.org/view.php?id=CVE-2007-6763
31 Jul 2019 — SAS Drug Development (SDD) before 32DRG02 mishandles logout actions, which allows a user (who was previously logged in) to access resources by pressing a back or forward button in a web browser. SAS Drug Development (SDD) anterior de 32DRG02 maneja mal las acciones de cierre de sesión, lo que permite a un usuario (que había iniciado sesión previamente) acceder a los recursos presionando un botón de retroceso o avance en un navegador web • http://ftp.sas.com/techsup/download/hotfix/drugdev/32drg02/SDD_Release_Notes_32DRG02.pdf • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 88%CPEs: 1EXPL: 2CVE-2019-5434 – Revive Adserver 4.2 - Remote Code Execution
https://notcve.org/view.php?id=CVE-2019-5434
06 May 2019 — An attacker could send a specifically crafted payload to the XML-RPC invocation script and trigger the unserialize() call on the "what" parameter in the "openads.spc" RPC method. Such vulnerability could be used to perform various types of attacks, e.g. exploit serialize-related PHP vulnerabilities or PHP object injection. It is possible, although unconfirmed, that the vulnerability has been used by some attackers in order to gain access to some Revive Adserver instances and deliver malware through them to ... • https://packetstorm.news/files/id/155559 • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.1EPSS: 0%CPEs: 12EXPL: 0CVE-2015-9281
https://notcve.org/view.php?id=CVE-2015-9281
17 Jan 2019 — Logon Manager in SAS Web Infrastructure Platform before 9.4M3 allows reflected XSS on the Timeout page. Logon Manager en SAS Web Infrastructure Platform, en versiones anteriores a la 9.4M3, permite Cross-Site Scripting (XSS) reflejado en la página Timeout. • http://support.sas.com/kb/55/537.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 4%CPEs: 12EXPL: 0CVE-2018-20732
https://notcve.org/view.php?id=CVE-2018-20732
17 Jan 2019 — SAS Web Infrastructure Platform before 9.4M6 allows remote attackers to execute arbitrary code via a Java deserialization variant. SAS Web Infrastructure Platform, en versiones anteriores a la 9.4M6, permite que atacantes remotos ejecuten código arbitrario mediante una variante de deserialización de Java. • http://www.securityfocus.com/bid/106648 • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.5EPSS: 0%CPEs: 12EXPL: 0CVE-2018-20733
https://notcve.org/view.php?id=CVE-2018-20733
17 Jan 2019 — BI Web Services in SAS Web Infrastructure Platform before 9.4M6 allows XXE. BI Web Services en SAS Web Infrastructure Platform en versiones anteriores a la 9.4M6 permite XEE (XML External Entity). • http://support.sas.com/kb/62/987.html • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 8.8EPSS: 1%CPEs: 1EXPL: 0CVE-2014-5454
https://notcve.org/view.php?id=CVE-2014-5454
25 Aug 2014 — Unrestricted file upload vulnerability in the image upload module in SAS Visual Analytics 6.4M1 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via unspecified vectors. Vulnerabilidad de la subida de ficheros sin restricciones en el módulo de la subida de imágenes en SAS Visual Analytics 6.4M1 permite a usuarios remotos autenticados ejecutar código arbitrario mediante la subida de un fichero con una extensión ejecutable, posteri... • http://packetstormsecurity.com/files/127866/SAS-Visual-Analytics-6.4M1-Arbitrary-File-Upload.html •
CVSS: 9.3EPSS: 9%CPEs: 4EXPL: 0CVE-2014-2262
https://notcve.org/view.php?id=CVE-2014-2262
28 Feb 2014 — Buffer overflow in the client application in Base SAS 9.2 TS2M3, SAS 9.3 TS1M1 and TS1M2, and SAS 9.4 TS1M0 allows user-assisted remote attackers to execute arbitrary code via a crafted SAS program. Desbordamiento de buffer en la aplicación cliente en Base SAS 9.2 TS2M3, SAS 9.3 TS1M1 y TS1M2 y SAS 9.4 TS1M0 permite a atacantes remotos asistidos por usuario ejecutar código arbitrario a través de un programa SAS manipulado. • http://secunia.com/advisories/57029 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2002-2017
https://notcve.org/view.php?id=CVE-2002-2017
31 Dec 2002 — sastcpd in SAS/Base 8.0 allows local users to execute arbitrary code by setting the authprog environment variable to reference a malicious program, which is then executed by sastcpd. • http://online.securityfocus.com/archive/1/253183 •