SAS Life Science Analytics Framework 5.4.2a addresses an issue where the application includes a version of CKEditor 4 that is vulnerable to CVE-2021-33829.

Additional details are provided below.

Severity: High

Description: SAS Life Science Analytics Framework 5.4.2 includes a version of CKEditor 4 that is vulnerable to cross-site scripting. For more information, see CVE-2021-33829.

Potential Impact: An attacker could potentially inject executable JavaScript code into SAS Life Science Analytics Framework system messages, internal messages, or notification task messages in the process flow setup.

Notes: 

• All customer upgrades to SAS Life Science Analytics Framework 5.4.2 will include application of 5.4.2a to address the potential vulnerability.
• Specifically, to address the issue reported in the CVE, SAS® Life Science Analytics Framework 5.4.2a integrates the latest version of the CKEditor5 JavaScript rich text editor (44.1.0) into the application for all locations where the component is used.