Details of VAR-201912-1402

ID

VAR-201912-1402

CVE

CVE-2019-19719

TITLE

Tableau Server Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2019-012906

DESCRIPTION

Tableau Server 10.3 through 2019.4 on Windows and Linux allows XSS via the embeddedAuthRedirect page. Tableau Server Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. This product is mainly used to manage and share data visualizations, interactive dashboards, workbooks and reports created by Tableau Desktop data visualization software. The vulnerability stems from the lack of proper validation of client data by web applications. An attacker could use this vulnerability to execute client code

Trust: 2.25

sources: NVD: CVE-2019-19719 // JVNDB: JVNDB-2019-012906 // CNVD: CNVD-2020-04286 // VULMON: CVE-2019-19719

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2020-04286

AFFECTED PRODUCTS

vendor:	tableau	model:	server	scope:	lte	version:	2019.4	Trust: 1.0
vendor:	tableau	model:	server	scope:	gte	version:	10.3	Trust: 1.0
vendor:	tableau	model:	server	scope:	eq	version:	2019.4 for up to 10.3	Trust: 0.8
vendor:	tableau	model:	software tableau software server	scope:	gte	version:	10.3,<=2019.4	Trust: 0.6
vendor:	tableau	model:	server	scope:	eq	version:	2019.2.5	Trust: 0.6
vendor:	tableau	model:	server	scope:	eq	version:	2019.3	Trust: 0.6
vendor:	tableau	model:	server	scope:	eq	version:	2019.2.6	Trust: 0.6
vendor:	tableau	model:	server	scope:	eq	version:	2019.3.1	Trust: 0.6
vendor:	linux	model:	kernel	scope:	eq	version:	-	Trust: 0.6
vendor:	tableau	model:	server	scope:	eq	version:	2019.2.4	Trust: 0.6
vendor:	tableau	model:	server	scope:	eq	version:	2019.4	Trust: 0.6
vendor:	tableau	model:	server	scope:	eq	version:	2019.2.3	Trust: 0.6
vendor:	tableau	model:	server	scope:	eq	version:	2019.3.2	Trust: 0.6
vendor:	microsoft	model:	windows	scope:	eq	version:	-	Trust: 0.6

sources: CNVD: CNVD-2020-04286 // JVNDB: JVNDB-2019-012906 // CNNVD: CNNVD-201912-480 // NVD: CVE-2019-19719

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-19719
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2019-19719
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2020-04286
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201912-480
value:	MEDIUM
Trust: 0.6
VULMON:	CVE-2019-19719
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2019-19719
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2020-04286
severity:	MEDIUM
baseScore:	5.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2019-19719
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.1
Trust: 1.0
NVD:	CVE-2019-19719
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2020-04286 // VULMON: CVE-2019-19719 // JVNDB: JVNDB-2019-012906 // CNNVD: CNNVD-201912-480 // NVD: CVE-2019-19719

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2019-012906 // NVD: CVE-2019-19719

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201912-480

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201912-480

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-012906

PATCH

title:	[Important] ADV-2019-047: Open redirect on embeddedAuthRedirect page	url:	https://community.tableau.com/community/security-bulletins/blog/2019/11/19/important-adv-2019-047-open-redirect-on-embeddedauthredirect-page	Trust: 0.8
title:	Patch for Tableau Server Cross-Site Scripting Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/199519	Trust: 0.6
title:	Tableau Software Server Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=104538	Trust: 0.6
title:	jaeles	url:	https://github.com/jaeles-project/jaeles	Trust: 0.1
title:	jaeles-signatures	url:	https://github.com/jaeles-project/jaeles-signatures	Trust: 0.1
title:	kenzer-templates	url:	https://github.com/Elsfa7-110/kenzer-templates	Trust: 0.1
title:	kenzer-templates	url:	https://github.com/ARPSyndicate/kenzer-templates	Trust: 0.1

sources: CNVD: CNVD-2020-04286 // VULMON: CVE-2019-19719 // JVNDB: JVNDB-2019-012906 // CNNVD: CNNVD-201912-480

EXTERNAL IDS

db:	NVD	id:	CVE-2019-19719	Trust: 3.1
db:	JVNDB	id:	JVNDB-2019-012906	Trust: 0.8
db:	CNVD	id:	CNVD-2020-04286	Trust: 0.6
db:	CNNVD	id:	CNNVD-201912-480	Trust: 0.6
db:	VULMON	id:	CVE-2019-19719	Trust: 0.1

sources: CNVD: CNVD-2020-04286 // VULMON: CVE-2019-19719 // JVNDB: JVNDB-2019-012906 // CNNVD: CNNVD-201912-480 // NVD: CVE-2019-19719

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2019-19719	Trust: 2.0
url:	https://community.tableau.com/community/security-bulletins/blog/2019/11/19/important-adv-2019-047-open-redirect-on-embeddedauthredirect-page	Trust: 1.7
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-19719	Trust: 0.8
url:	https://cwe.mitre.org/data/definitions/79.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://github.com/jaeles-project/jaeles	Trust: 0.1

sources: CNVD: CNVD-2020-04286 // VULMON: CVE-2019-19719 // JVNDB: JVNDB-2019-012906 // CNNVD: CNNVD-201912-480 // NVD: CVE-2019-19719

SOURCES

db:	CNVD	id:	CNVD-2020-04286
db:	VULMON	id:	CVE-2019-19719
db:	JVNDB	id:	JVNDB-2019-012906
db:	CNNVD	id:	CNNVD-201912-480
db:	NVD	id:	CVE-2019-19719

LAST UPDATE DATE

2024-08-14T14:56:36.115000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-04286	date:	2020-02-07T00:00:00
db:	VULMON	id:	CVE-2019-19719	date:	2019-12-12T00:00:00
db:	JVNDB	id:	JVNDB-2019-012906	date:	2019-12-16T00:00:00
db:	CNNVD	id:	CNNVD-201912-480	date:	2019-12-26T00:00:00
db:	NVD	id:	CVE-2019-19719	date:	2019-12-12T20:07:55.097

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2020-04286	date:	2019-12-10T00:00:00
db:	VULMON	id:	CVE-2019-19719	date:	2019-12-11T00:00:00
db:	JVNDB	id:	JVNDB-2019-012906	date:	2019-12-16T00:00:00
db:	CNNVD	id:	CNNVD-201912-480	date:	2019-12-10T00:00:00
db:	NVD	id:	CVE-2019-19719	date:	2019-12-11T04:15:10.573