QID 375433

Tableau Server is a Business Intelligence application that allows its users to organize, edit, share, and collaborate on Tableau dashboards.

Tableau Server fails to validate certain URLs that are embedded in emails sent to Tableau Server users.

Background image edit command cause vizql server process to crash within Tableau Server.

HTML characters are not properly encoded in emails sent to users for data driven alerts.

Affected Versions:
Tableau Server on Linux 2018.2 through 2018.2.29
Tableau Server on Linux 2018.3 through 2018.3.28
Tableau Server on Linux 2019.1 through 2019.1.26
Tableau Server on Linux 2019.2 through 2019.2.22
Tableau Server on Linux 2019.3 through 2019.3.18
Tableau Server on Linux 2019.4 through 2019.4.17
Tableau Server on Linux 2020.1 through 2020.1.14
Tableau Server on Linux 2020.2 through 2020.2.11
Tableau Server on Linux 2020.3 through 2020.3.6
Tableau Server on Linux 2020.4 through 2020.4.2

Tableau Server on Windows 2018.2 through 2018.2.29
Tableau Server on Windows 2018.3 through 2018.3.28
Tableau Server on Windows 2019.1 through 2019.1.26
Tableau Server on Windows 2019.2 through 2019.2.22
Tableau Server on Windows 2019.3 through 2019.3.18
Tableau Server on Windows 2019.4 through 2019.4.17
Tableau Server on Windows 2020.1 through 2020.1.14
Tableau Server on Windows 2020.2 through 2020.2.11
Tableau Server on Windows 2020.3 through 2020.3.6
Tableau Server on Windows 2020.4 through 2020.4.2

QID Detection Logic (Authenticated)
This QID checks for the file version of tabsvc.exe for Tableau Server

An authenticated user can force Tableau Server to send emails to other Tableau Server users with an arbitrary URL

An authenticated attacker with low privileges can send crafted message to Tableau Server that makes Tableau Server unresponsive for an extended period of time.

A Tableau user can craft phishing emails to other Tableau Server users.