CVE-2018-2432 — Cross-site Scripting in SAP Businessobjects Business Intelligence

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

5.4MEDIUMNVD

EPSS

0.4%

top 39.31%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP Businessobjects Business Intelligence SAP Businessobjects Business Intelligence

Timeline

PublishedJul 10

Latest updateMay 13

Description

SAP BusinessObjects Business Intelligence (BI Launchpad and Central Management Console) versions 4.10, 4.20 and 4.30 allow an attacker to include invalidated data in the HTTP response header sent to a Web user. Successful exploitation of this vulnerability may lead to advanced attacks, including: cross-site scripting and page hijacking.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶NVDsap/businessobjects_business_intelligence4.1, 4.2, 4.3+2

▶CVEListV5sap/sap_businessobjects_business_intelligence= 4.10, = 4.20, = 4.30+2

Patches

Patch: wiki.scn.sap.com ↗Patch: wiki.scn.sap.com ↗

🔴Vulnerability Details

GHSA

GHSA-x89x-j6p8-53mc: SAP BusinessObjects Business Intelligence (BI Launchpad and Central Management Console) versions 4↗2022-05-13

▶

CVEList

CVE-2018-2432: SAP BusinessObjects Business Intelligence (BI Launchpad and Central Management Console) versions 4↗2018-07-10

▶