A note with CVSS 5.4 for component BI-BIP-INV was released by SAP on 10.12.2019. The correction/advisory 2830578 was described with "[CVE-2019-0395] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (Fiori BI Launchpad)" and affects the system type BI/BO platform.
A workaround does not exist, according to SAP Security Advisory team. It is advisable to implement the correction as part of maintenance.
The vulnerability addressed is cross-site scripting (xss) within BI/BO platform.
Cross-site scripting (XSS) is the name of a class of security vulnerabilities that can occur in web-based
applications. XSS combines
affected web application.
Risk specificationSAP BusinessObjects Business Intelligence Platform (Fiori BI Launchpad) does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
The user inputs are now encoded for the affected parts of the application to prevent a successful XSS attack.
SAP BusinessObjects Business Intelligence suite is an analytics platform allowing SAP customers to make better decisions based on their business data. SAP BI is a module meant for producing business insights and expands its power in combination with HANA DB and also exists as BW/4 HANA. Due to processing sensitive business data, the Data security is of utmost importance.
The advisory is valid for
- 6.1 [CVE-2020-6305] Cross-Site Scripting (XSS) vulnerability in Rest Adapter of SAP Process Integration
- 5.4 [CVE-2020-6303] Improper input validation in SAP Disclosure Management
- 5.4 [CVE-2021-21447] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface)
- 5.4 [CVE-2021-21445] Header Manipulation vulnerability in SAP Commerce Cloud