PT-2021-14515 · Sap · Sap Businessobjects Business Intelligence Platform
Published
2021-01-12
·
Updated
2021-03-04
·
CVE-2021-21447
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
SAP BusinessObjects Business Intelligence platform versions 410, 420
Description
The issue allows an authenticated attacker to inject malicious JavaScript payload into the custom value input field of an Input Control. This can be executed by a user who views the relevant application content, leading to Stored Cross-Site Scripting.
Recommendations
For SAP BusinessObjects Business Intelligence platform versions 410, 420, consider disabling the custom value input field of an Input Control as a temporary workaround until a patch is available. Restrict access to the Input Control to minimize the risk of exploitation. Avoid using the custom value input field in the affected application content until the issue is resolved.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Sap Businessobjects Business Intelligence Platform