On 14.07.2020 a security relevant correction has been released by SAP SE. The manufacturer resolves an issue within BI/BO platform.
SAP Note 2917743 addresses "[CVE-2020-6281] Cross-Site Scripting (XSS) vulnerability in SAP Business Objects Business Intelligence Platform(BI Launch pad)" to prevent Cross-Site Scripting (XSS) with a medium risk for exploitation.
A workaround does exist, according to SAP Security Advisory team. It is advisable to implement the correction as part of maintenance, the team suggests.
Cross-site scripting (XSS) is the name of a class of security vulnerabilities that can occur in web-based
applications. XSS combines
affected web application.
Risk specificationSAP Business Objects Business Intelligence Platform (BI Launchpad) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
URL parameters are now properly encoded using SAP provided API. Circumstances exist that prevent the timely installation of a patch provided by the manufacturer. In such cases, you may consider applying the suggested workaround as a temporary or compensating mitigation: "Cross-site scripting/request forgery filter engine on IDS/IPS/firewall systems. ".
SAP BusinessObjects Business Intelligence suite is an analytics platform allowing SAP customers to make better decisions based on their business data. SAP BI is a module meant for producing business insights and expands its power in combination with HANA DB and also exists as BW/4 HANA. Due to processing sensitive business data, the Data security is of utmost importance.
The advisory is valid for
- 9.0 [CVE-2020-6284] Cross-Site Scripting (XSS) in SAP NetWeaver (Knowledge Management)
- 8.2 [CVE-2020-6367] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Composite Application Framework
- 6.5 [CVE-2019-0385] Cross-Site Scripting (XSS) vulnerability in SAP Enable Now
- 6.1 [CVE-2020-6193]Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver (Knowledge Management ICE Service)
- 6.1 [CVE-2020-6205] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP Business Server Pages (Smart Forms)