Detections
Analytics
SAP BusinessObjects Business Intelligence Platform XSS (3251447)
medium Nessus Plugin ID 170271
Language:
Synopsis
SAP BusinessObjects Business Intelligence Platform installed on the remote Windows host is affected by a cross-site scripting vulnerabilityDescription
The version of SAP BusinessObjects Business Intelligence Platform installed on the remote Windows host is prior to 4.2 SP9 P11. It is, therefore, affected by a vulnerability. In SAP BusinessObjects Business Intelligence Platform (Web Intelligence user interface) - version 420, some calls return json with wrong content type in the header of the response. As a result, a custom application that calls directly the jsp of Web Intelligence DHTML may be vulnerable to XSS attacks. On successful exploitation an attacker can cause limited impact on confidentiality and integrity of the application.Note that Nessus has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.
Solution
See vendor advisories.See Also
Plugin Details
Severity: Medium
ID: 170271
File Name: sap_business_objects_bip_3251447.nasl
Version: 1.1
Type: local
Agent: windows
Family: Windows
Published: 1/23/2023
Updated: 1/24/2023
Supported Sensors: Nessus Agent, Nessus
Risk Information
VPR
Risk Factor: Low
Score: 3.0
CVSS v2
Risk Factor: Medium
Base Score: 5.5
Temporal Score: 4.1
Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N
CVSS Score Source: CVE-2023-0015
CVSS v3
Risk Factor: Medium
Base Score: 5.4
Temporal Score: 4.7
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: cpe:/a:sap:businessobjects_business_intelligence_platform
Required KB Items: SMB/Registry/Enumerated, installed_sw/SAP BusinessObjects Business Intelligence Platform
Exploit Ease: No known exploits are available
Patch Publication Date: 1/10/2023
Vulnerability Publication Date: 1/10/2023
Reference Information
CVE: CVE-2023-0015
IAVA: 2023-A-0018