A note with CVSS 5.4 for component BI-BIP-INV was released by SAP on 10.12.2019. The correction/advisory 2830578 was described with "[CVE-2019-0395] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (Fiori BI Launchpad)" and affects the system type BI/BO platform.
A workaround does not exist, according to SAP Security Advisory team. It is advisable to implement the correction as part of maintenance.
The vulnerability addressed is cross-site scripting (xss) within BI/BO platform.
Cross-site scripting (XSS) is the name of a class of security vulnerabilities that can occur in web-based
applications. XSS combines
affected web application.
Risk specificationSAP BusinessObjects Business Intelligence Platform (Fiori BI Launchpad) does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
The user inputs are now encoded for the affected parts of the application to prevent a successful XSS attack.
SAP BusinessObjects Business Intelligence suite is an analytics platform allowing SAP customers to make better decisions based on their business data. SAP BI is a module meant for producing business insights and expands its power in combination with HANA DB and also exists as BW/4 HANA. Due to processing sensitive business data, the Data security is of utmost importance.
The advisory is valid for
- 8.7 [CVE-2023-42472] Insufficient File type validation in SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface)
- 8.3 [CVE-2021-33703] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal
- 8.3 [CVE-2021-33702] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal
- 8.2 [CVE-2023-33991] Stored Cross-Site Scripting vulnerability in SAP UI5 (Variant Management)
- 8.0 [CVE-2022-41266] Cross-Site Scripting (XSS) vulnerability in SAP Commerce