CVE-2014-1204

Tableau Server 8.0.x-8.0.6 and 8.1.x-8.1.1 - Authenticated SQL Injection

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-1204. PoCs published by Trustwave's SpiderLabs.

AI-analyzed exploit summary This advisory describes a blind SQL injection vulnerability in Tableau Server versions 8.1.X before 8.1.2 and 8.0.X before 8.0.7. The vulnerability allows authenticated or guest users to inject arbitrary SQL into the backend Oracle database via the 'modified_after' or 'modified_before' parameters.

Description

SQL injection vulnerability in Tableau Server 8.0.x before 8.0.7 and 8.1.x before 8.1.2 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. NOTE: this can be exploited by unauthenticated remote attackers if the guest user is enabled.

Exploits (1)

exploitdb WRITEUP VERIFIED

by Trustwave's SpiderLabs · textwebappswindows

https://www.exploit-db.com/exploits/31578

View Code ZIP pw:eip

This advisory describes a blind SQL injection vulnerability in Tableau Server versions 8.1.X before 8.1.2 and 8.0.X before 8.0.7. The vulnerability allows authenticated or guest users to inject arbitrary SQL into the backend Oracle database via the 'modified_after' or 'modified_before' parameters.

Classification

Writeup 100%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: Tableau Server 8.1.X before 8.1.2 and 8.0.X before 8.0.7

Auth required

Prerequisites: Authenticated user or guest access enabled

MITRE ATT&CK