PT-2019-4304 · Sap · Sap Businessobjects Business Intelligence Platform

Published

2019-10-08

Updated

2019-10-11

CVE-2019-0374

CVSS v2.0

5.5

Medium

Vector

AV:N/AC:L/Au:S/C:P/I:P/A:N

Name of the Vulnerable Software and Affected Versions SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface) versions prior to 4.2 and 4.3

Description The issue is related to insufficient encoding of user-controlled inputs in the Web Intelligence HTML interface, allowing the execution of scripts in the chart title. This results in reflected Cross-Site Scripting, which can be exploited by a remote attacker to perform cross-site scripting attacks.

Recommendations For versions prior to 4.2 and 4.3, consider disabling the chart title feature in the Web Intelligence HTML interface until a patch is available. Restrict access to the Web Intelligence HTML interface to minimize the risk of exploitation. Avoid using user-controlled inputs in the chart title until the issue is resolved.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

BDU:2020-00019

CVE-2019-0374

Affected Products

Sap Businessobjects Business Intelligence Platform

PT-2019-4304 · Sap · Sap Businessobjects Business Intelligence Platform

CVE-2019-0374

Weakness Enumeration

Related Identifiers

Affected Products

References · 5