Reflected Cross-Site Scripting in SAP BusinessObjects Business Intelligence Platform
CVE-2019-0375

5.4MEDIUM

Key Information:

Vendor: SAP
Status: SAP Businessobjects Business Intelligence Platform (web Intelligence Html Interface)
Vendor: CVE Published:; 8 October 2019

Summary

The SAP BusinessObjects Business Intelligence Platform, specifically the Web Intelligence HTML interface, is vulnerable due to insufficient encoding of user-controlled inputs in the export dialog box of the report name. This flaw permits the execution of arbitrary scripts, leading to reflected Cross-Site Scripting. Users interacting with the vulnerable interface may inadvertently execute malicious scripts injected into the report naming field. Protection strategies include sanitizing user inputs and keeping software versions updated to reduce exposure risks.

Affected Version(s)

SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface) < 4.2 < 4.2

SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface) < 4.3 < 4.3

References

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageI...

x_refsource_CONFIRM

https://launchpad.support.sap.com/#/notes/2817945

x_refsource_MISC

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Oct 8, 2019
Vulnerability Reserved
Nov 26, 2018