CVSS: 6.3EPSS: 0%CPEs: 2EXPL: 0CVE-2023-4932 – Reflected Cross-Site Scripting in SAS 9.4
https://notcve.org/view.php?id=CVE-2023-4932
12 Dec 2023 — SAS application is vulnerable to Reflected Cross-Site Scripting (XSS). Improper input validation in the `_program` parameter of the the `/SASStoredProcess/do` endpoint allows arbitrary JavaScript to be executed when specially crafted URL is opened by an authenticated user. The attack is possible from a low-privileged user. Only versions 9.4_M7 and 9.4_M8 were tested and confirmed to be vulnerable, status of others is unknown. For above mentioned versions hot fixes were published. • https://cert.pl/en/posts/2023/12/CVE-2023-4932 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2002-2017
https://notcve.org/view.php?id=CVE-2002-2017
31 Dec 2002 — sastcpd in SAS/Base 8.0 allows local users to execute arbitrary code by setting the authprog environment variable to reference a malicious program, which is then executed by sastcpd. • http://online.securityfocus.com/archive/1/253183 •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2002-2018
https://notcve.org/view.php?id=CVE-2002-2018
31 Dec 2002 — sastcpd in SAS/Base 8.0 might allow local users to gain privileges by setting the netencralg environment variable, which causes a segmentation fault. • http://online.securityfocus.com/archive/1/253183 •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2002-0218
https://notcve.org/view.php?id=CVE-2002-0218
03 May 2002 — Format string vulnerability in (1) sastcpd in SAS/Base 8.0 and 8.1 or (2) objspawn in SAS/Integration Technologies 8.0 and 8.1 allows local users to execute arbitrary code via format specifiers in a command line argument. Vulnerabilidad en cadena de formato en SAStcpd en SAS/Base oobjspawn en Sas/Integration Technologies 8.0 y 8.1permite a usuarios locales ejecutar código arbitrario mediante especificadores de formato en un argumento de línea de comandos. • http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0032.html •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2002-0219
https://notcve.org/view.php?id=CVE-2002-0219
03 May 2002 — Buffer overflow in (1) sastcpd in SAS/Base 8.0 and 8.1 or (2) objspawn in SAS/Integration Technologies 8.0 and 8.1 allows local users to execute arbitrary code via large command line argument. Desbordamiento de Buffer en SAS/Base 8.0 y 8.1 oSAS/Integration Technologies 8.0 y 8.1 permite a usuarios locales ejecutar código arbitrario mediante argumentos de linea de comando largos. • http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0032.html •