CVE-2020-9350 in Visual Analytics
Summary
by MITRE
Graph Builder in SAS Visual Analytics 8.5 allows XSS via a graph template that is accessed directly.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 05/12/2025
The vulnerability identified as CVE-2020-9350 affects SAS Visual Analytics 8.5 Graph Builder component, representing a cross-site scripting flaw that enables remote code execution through manipulated graph templates. This issue arises from insufficient input validation and output encoding mechanisms within the graph template processing pipeline, allowing malicious actors to inject malicious scripts that execute in the context of authenticated users' browsers. The vulnerability specifically manifests when users access graph templates directly, bypassing normal security controls that would typically validate and sanitize template content before rendering.
The technical implementation of this flaw stems from improper sanitization of user-supplied template data within the Graph Builder module. When a graph template is accessed directly, the system fails to properly escape or filter special characters that could be interpreted as executable script code. This weakness creates an attack surface where an attacker can craft malicious templates containing javascript payloads that execute when the template is rendered in a user's browser. The vulnerability is particularly concerning because it operates within the context of authenticated sessions, meaning attackers can leverage legitimate user permissions to execute malicious code, potentially accessing sensitive data or performing unauthorized actions within the analytics platform.
From an operational impact perspective, this vulnerability poses significant risks to organizations relying on SAS Visual Analytics for business intelligence and data visualization. Attackers could exploit this flaw to steal session cookies, redirect users to malicious sites, or execute arbitrary code on victim machines. The attack vector is particularly dangerous because it requires minimal user interaction beyond accessing a specially crafted graph template, making it susceptible to phishing campaigns or compromised template repositories. Organizations using this analytics platform may face data breaches, unauthorized access to sensitive business intelligence, and potential lateral movement within their network infrastructure. The vulnerability can be exploited by both external attackers and privileged insiders with access to template creation or modification capabilities, amplifying the potential impact.
Mitigation strategies for CVE-2020-9350 should focus on immediate patch application from SAS, which addresses the core sanitization issues in the Graph Builder component. Organizations should implement strict template validation policies that enforce secure coding practices and prevent the execution of untrusted template content. Network-level protections such as web application firewalls can help detect and block malicious template access attempts, while regular security audits should verify that template processing logic properly escapes all user-supplied data. Access controls should be strengthened to limit template creation and modification privileges to authorized personnel only, following principle of least privilege models. Additionally, browser security enhancements including content security policies and sandboxing mechanisms can provide additional defense-in-depth layers. This vulnerability aligns with CWE-79 Cross-site Scripting and follows ATT&CK technique T1059 Command and Scripting Interpreter, representing a classic server-side template injection attack that leverages user trust relationships within enterprise analytics environments.