PT-2022-9050 · Sap · Sap Businessobjects Business Intelligence Platform

Published

2022-06-06

Updated

2022-06-14

CVE-2020-6220

CVSS v3.1

4.7

Medium

Vector

AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions SAP Business Objects Business Intelligence Platform versions 4.1, 4.2

Description The issue is related to insufficient encoding of user-controlled inputs in BI Launchpad and CMC, resulting in a Cross-Site Scripting (XSS) issue. The exploit is possible only when the bttoken in the victim's session is active.

Recommendations For versions 4.1 and 4.2, consider restricting access to user-controlled inputs until a patch is available. As a temporary workaround, consider implementing additional encoding for user-controlled inputs to minimize the risk of exploitation. Restrict access to the bttoken in the victim's session to prevent exploitation.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2020-6220

Affected Products

Sap Businessobjects Business Intelligence Platform

PT-2022-9050 · Sap · Sap Businessobjects Business Intelligence Platform

CVE-2020-6220

Weakness Enumeration

Related Identifiers

Affected Products

References · 8