Hash: SHA512  
Advisory ID: SYSS-2020-032  
Product: Tableau Server  
Manufacturer: Tableau Software, LLC, a Salesforce Company  
Affected Version(s): 2019.4-2019.4.17, 2020.1-2020.1.13,  
2020.2-2020.2.10, 2020.3-2020.3.6, 2020.4-2020.4.2  
Tested Version(s): 2020.2.1 (20202.20.0525.1210) 64-bit Windows  
Vulnerability Type: URL Redirection to Untrusted Site (CWE-601)  
Risk Level: Medium  
Solution Status: Fixed  
Manufacturer Notification: 2020-07-29  
Solution Date: 2021-03-23  
Public Disclosure: 2021-03-23  
CVE Reference: CVE-2021-1629  
Author of Advisory: Dr. Vladimir Bostanov, SySS GmbH  
Tableau Server is an online data management, analysis, and visualization  
The manufacturer describes the product as follows [1]:  
"Tableau Server enables everyone in an organization to see and  
understand data, with offerings for every user type."  
Due to insufficient server-side validation of user input, Tableau  
Server is vulnerable to URL redirection to untrusted site by the "Share  
view" function. An authenticated attacker can replace the shared view's  
URL by the URL of a malicious web page.  
Vulnerability Details:  
A feature of the Tableau Server web application allows users to share  
views with other users of the same Tableau site. Upon clicking on a  
standard share icon, a dialog box appears in which the sharer can chose  
an arbitrary number of recipients from a list of all users of the same  
Tableau site. Upon clicking on the "Share" button in the dialog box,  
the user client sends a POST request containing among other data the  
recipients' user IDs and the shared resource's URL.  
An attacker with access to a viewer account (no higher privileges are  
needed for sharing a view) can send a "Share view" request, intercept  
it, and replace the shared view's URL by the URL of a malicious web  
page. Without sufficient validation of the relevant parameter, the  
Tableau server sends to all specified recipients a trustworthy email  
message including a Tableau logo and a PNG image of the shared view. A  
victim who clicks on the image or on the "Go to View" button lands on  
the malicious web page, because the value of the href attribute of the  
underlying anchor element has been set to the URL specified by the  
Note that, technically, this is not an open redirect vulnerability,  
because the victim's browser is directed to an untrusted location by an  
email client or a web mail application, rather than being redirected by  
the Tableau Server itself. The effect is, however, virtually the same,  
because open redirect payloads are also usually delivered to victims  
via email. Moreover, in the present case, the whole email message  
including the sender (the Tableau server) is completely authentic --  
except for the manipulated URL. Thus, it is much more trustworthy than,  
e.g., an average phishing mail containing an open redirect link.  
Note also that, if the malicious URL points to a fake copy of the  
Tableau Server login page, landing on it would not raise the victim's  
suspicion, since opening a Tableau view shared via email, indeed,  
requires authentication. Thus, a phishing attack has a great chance of  
success. The attacker needs, however, an access to a Tableau account.  
Another important limitation is that the group of potential victims is  
restricted to the users of the same Tableau site.  
Proof of Concept (PoC):  
An authenticated attacker shares the view "Project/Topic" with two  
other users of the same Tableau site "Site", one of them being the site  
administrator (user ID: 1234).  
The attacker's browser sends the following request to the Tableau Server  
at ([...] denotes abridged content):  
POST /vizportal/api/web/v1/shareContent HTTP/1.1  
content-type: application/json  
"method": "shareContent",  
"params": {  
"contentId": 45684,  
"contentType": "view",  
"recipients": [{  
"type": "USER",  
"id": "1234"  
}, {  
"type": "USER",  
"id": "1238"  
"url": "[...]",  
"message": "Check this out!",  
"shouldShareThumbnail": false  
The attacker intercepts the request and replaces the view's URL:[...]  
by the URL of a fake copy of the Tableau Server login page:[true view URL]  
The victim receives a notification email from the Tableau Server  
including an image of the shared view and a "Go to View" button, as  
explained above. Upon clicking on one of these elements, the fake  
Tableau Server login page is opened in the victim's browser. If the  
victim does not notice the difference in the domain name, he/she fills  
the login form with username and password, and presses the "Sing In"  
button. The credentials are submitted to the attacker's server  
The attacker's sever-side script receives and stores the stolen  
credentials and redirects the victim's browser back to the authentic  
Tableau site.  
Upgrade Tableau Server to version 2019.4.18, 2020.1.14, 2020.2.11,  
2020.3.7, 2020.4.3, or 2021.1.  
Disclosure Timeline:  
2020-07-21: Vulnerability discovered  
2020-07-29: Vulnerability reported to Tableau Security Team (TST)  
2020-07-30: TST confirmed the vulnerability and asked for more time than  
the usual 45 days [4] to fix it as well as for coordinated disclosure;  
SySS GmbH agreed  
2020-08-04: TST promised to acknowledge in their disclosure  
Dr. Vladimir Bostanov of SySS GmbH as discoverer of the vulnerability  
2020-11-19: Upon inquiry by SySS GmbH, TST asked for more time for  
fixing the vulnerability  
2021-02-11: Upon warning by SySS GmbH, TST quoted 2021-03-23 as a  
tentative release date for the fixed versions and promised to inform  
SySS GmbH by 2021-03-12, if the vulnerability fix would be included  
in the March releases  
2021-03-16: SySS GmbH asked TST about any news; TST did not answer  
2021-03-18: SySS GmbH asked again, TST did not answer  
2021-03-23: Upon third inquiry by SySS GmbH, TST asked SySS GmbH  
to "have patience" and promised to "provide information soon"  
2021-03-23: Salesforce disclosed the vulnerability WITHOUT  
mentioning Dr. Vladimir Bostanov or SySS GmbH [3]; SySS GmbH was NOT  
informed about the disclosure (but found out about it on 2021-04-06)  
[1] Product website for Tableau Server  
[2] SySS Security Advisory SYSS-2020-032  
Open Redirect in Tableau Server  
[3] Salesforce security advisory ADV-2021-010  
Tableau Server Open Redirect  
[4] SySS Responsible Disclosure Policy  
This security vulnerability was found  
by Dr. Vladimir Bostanov of SySS GmbH.  
Public Key:  
Key ID: 0xA589542B  
Key Fingerprint: 4989 C59F D54B E926 3A81 E37C A7A9 1848 A589 542B  
The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory  
may be updated in order to provide as accurate information as possible.  
The latest version of this security advisory is available on the  
SySS GmbH web site.  
Creative Commons - Attribution (by) - Version 3.0