On 11.10.2022 a security relevant correction has been released by SAP SE. The manufacturer resolves an issue within BI/BO platform.
SAP Note 3229425 addresses "[CVE-2022-41206] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence platform / Analysis for OLAP" to prevent cross-site scripting (xss) with a medium risk for exploitation.
A workaround does exist, according to SAP Security Advisory team. It is advisable to implement the correction as part of maintenance, the team suggests.
Cross-site scripting (XSS) is the name of a class of security vulnerabilities that can occur in web-based
applications. XSS combines
affected web application.
Risk specificationBI/BO platform does not sufficiently encode URL parameters allowing an unauthenticated attacker to view or modify information resulting in a Cross-Site Scripting attack.
The URL parameters are now properly encoded to prevent a successful XSS attack. Circumstances exist that prevent the timely installation of a patch provided by the manufacturer. In such cases, you may consider applying the suggested workaround as a temporary or compensating mitigation: "Cross-site scripting/request forgery filter engine on IDS/IPS/firewall systems. ".
SAP BusinessObjects Business Intelligence suite is an analytics platform allowing SAP customers to make better decisions based on their business data. SAP BI is a module meant for producing business insights and expands its power in combination with HANA DB and also exists as BW/4 HANA. Due to processing sensitive business data, the Data security is of utmost importance.
The advisory is valid for
- 8.7 [CVE-2023-42472] Insufficient File type validation in SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface)
- 8.3 [CVE-2021-33703] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal
- 8.3 [CVE-2021-33702] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal
- 8.2 [CVE-2023-33991] Stored Cross-Site Scripting vulnerability in SAP UI5 (Variant Management)
- 8.0 [CVE-2022-41266] Cross-Site Scripting (XSS) vulnerability in SAP Commerce