CVE-2023-0015

CWE-79 — Cross-site Scripting (XSS)4 documents4 sources

Severity

5.4MEDIUM

EPSS

0.4%

top 37.17%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SAP Businessobjects Business Intelligence Platform SAP Business Objects Business Intelligence Platform

Timeline

PublishedJan 10

Latest updateJul 6

Description

In SAP BusinessObjects Business Intelligence Platform (Web Intelligence user interface) - version 420, some calls return json with wrong content type in the header of the response. As a result, a custom application that calls directly the jsp of Web Intelligence DHTML may be vulnerable to XSS attacks. On successful exploitation an attacker can cause limited impact on confidentiality and integrity of the application.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:NExploitability: 2.1 | Impact: 2.5

Affected Packages2 packages

▶NVDsap/business_objects_business_intelligence_platform420

▶CVEListV5sap/sap_businessobjects_business_intelligence_platform420

🔴Vulnerability Details

CVEList

Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence (Web Intelligence)↗2023-01-10

▶

GHSA

GHSA-7v6p-hrxh-28hh: In SAP BusinessObjects Business Intelligence Platform (Web Intelligence user interface) - version 420, some calls return json with wrong content type↗2023-01-10

▶

📋Vendor Advisories

VMware

VMware SD-WAN update addresses a bypass authentication vulnerability (CVE-2023-20899)↗2023-07-06

▶