CVE-2023-23856

CWE-79 — Cross-site Scripting (XSS)3 documents3 sources

Severity

5.4MEDIUM

EPSS

0.3%

top 43.85%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Businessobjects Business Intelligence (web Intelligence UI)SAP Business Objects Business Intelligence Platform

Timeline

PublishedFeb 14

Description

In SAP BusinessObjects Business Intelligence (Web Intelligence user interface) - version 430, some calls return json with wrong content type in the header of the response. As a result, a custom application that calls directly the jsp of Web Intelligence DHTML may be vulnerable to XSS attacks. On successful exploitation an attacker can cause a low impact on integrity of the application.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶NVDsap/business_objects_business_intelligence_platform430

▶CVEListV5sap_se/sap_businessobjects_business_intelligence_(web_intelligence_ui)430

🔴Vulnerability Details

GHSA

GHSA-qwq7-63pm-p4wv: In SAP BusinessObjects Business Intelligence (Web Intelligence user interface) - version 430, some calls return json with wrong content type in the he↗2023-02-14

▶

CVEList

CVE-2023-23856: In SAP BusinessObjects Business Intelligence (Web Intelligence user interface) - version 430, some calls return json with wrong content type in the he↗2023-02-14

▶