Cross-site Scripting Vulnerability in SAP BusinessObjects Financial Consolidation
CVE-2017-6061

4.7MEDIUM

Key Information:

Vendor
SAP
Status
Businessobjects Financial Consolidation
Vendor
CVE Published:
16 March 2017

Summary

A cross-site scripting (XSS) vulnerability exists in the help component of SAP BusinessObjects Financial Consolidation 10.0.0.1933. This security issue permits remote attackers to inject arbitrary web scripts or HTML through a specially crafted GET request, particularly targeting the URI /finance/help/en/frameset.htm. The exploitation of this vulnerability could lead to significant security risks, compromising the integrity and confidentiality of user interactions within the application. The vendor has issued SAP Security Note 2368106 providing guidance on mitigating this vulnerability.

References

http://www.securityfocus.com/bid/96461
vdb-entryx_refsource_BID
http://www.securitytracker.com/id/1037910
vdb-entryx_refsource_SECTRACK
http://packetstormsecurity.com/files/141349/SAP-BusinessO...
x_refsource_MISC

CVSS V3.1

Score:
4.7
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.