← Back

CVE-2019-0376

nvd nist
Published: Oct 8, 2019Modified: Nov 21, 2024

JSON object

Loading...
5.4
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Exploitability: 2.3 / Impact: 2.7
Source: NVD

Description

SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), before versions 4.2 and 4.3, does not sufficiently encode user-controlled inputs and allows an attacker to save malicious scripts in the publication name, which can be executed later by the victim, resulting in Stored Cross-Site Scripting.

Affected (9)

Sap
1 product
Businessobjects Business Intelligence Platform
Configuration A
9 vulnerable
Vulnerable SoftwareAffected Versions
Sap
Businessobjects Business Intelligence Platform
Version 4.0
Businessobjects Business Intelligence Platform
Version 4.1
Businessobjects Business Intelligence Platform
Version 4.1 sp10
Businessobjects Business Intelligence Platform
Version 4.1 sp11
Businessobjects Business Intelligence Platform
Version 4.1 sp12
Businessobjects Business Intelligence Platform
Version 4.2 sp04
Businessobjects Business Intelligence Platform
Version 4.2 sp05
Businessobjects Business Intelligence Platform
Version 4.2 sp06
Businessobjects Business Intelligence Platform
Version 4.2 sp07

Related CWEs

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (4)

Source: cna@sap.com
Permissions RequiredVendor Advisory
Source: cna@sap.com
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Permissions RequiredVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory

Timeline

No history available yet.