Beware of Stored XSS Vulnerability in SAP Business Objects Business Intelligence Platform

CVECVE-2023-42478
CVSScvssV3_1: 7.5
SourceCVE-2023-42478

SAP Business Objects Business Intelligence Platform is a popular business intelligence tool used by many organizations worldwide. Unfortunately, this platform is affected by a stored cross-site scripting (XSS) vulnerability with a CVSS score of 7.5.

Stored XSS occurs when malicious JavaScript is stored on a target server and gets executed when another user views it, typically through a website. In this case, an attacker could upload a maliciously crafted document to the SAP platform that contains JavaScript code. Then, when any other user opens or views this document, the JavaScript would execute within their browser session, potentially allowing the attacker to access their account details or other sensitive information.

The impact of this vulnerability could be high, as the JavaScript code would be executed with the permissions of the affected user. An attacker might use this to hijack user sessions, steal login credentials, or even plant malware on the user’s system.

To protect themselves, users of SAP Business Objects should make sure their installation is fully patched with the latest software updates. Administrators should also carefully review all uploaded documents for signs of malicious code. Users are also advised to avoid opening documents from unknown or untrusted sources within the SAP platform.

References