CVE-2023-0018

Name of the Vulnerable Software and Affected Versions SAP BusinessObjects Business Intelligence Platform CMC application versions 420, and 430

Description The issue arises from improper input sanitization of user-controlled input in the SAP BusinessObjects Business Intelligence Platform CMC application. An attacker with basic user-level privileges can modify or upload crystal reports containing a malicious payload. Once these reports are viewable, anyone who opens them is susceptible to stored XSS attacks. As a result, information maintained in the victim's web browser can be read, modified, and sent to the attacker.

Recommendations For versions 420 and 430, consider disabling the ability to modify or upload crystal reports until a patch is available. Restrict access to the CMC application to minimize the risk of exploitation. Avoid using the application to view or open reports from untrusted sources until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.