Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-0018— Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (Central management console)

CVSS 10.0 · Critical EPSS 1.01% · P77
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2023-0018

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (Central management console)
Source: NVD (National Vulnerability Database)
Vulnerability Description
Due to improper input sanitization of user-controlled input in SAP BusinessObjects Business Intelligence Platform CMC application - versions 420, and 430, an attacker with basic user-level privileges can modify/upload crystal reports containing a malicious payload. Once these reports are viewable, anyone who opens those reports would be susceptible to stored XSS attacks. As a result of the attack, information maintained in the victim's web browser can be read, modified, and sent to the attacker.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Vulnerability Title
SAP BusinessObjects Business Intelligence Platform 跨站脚本漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
SAP BusinessObjects Business Intelligence Platform是德国思爱普(SAP)公司的一款完备的商务分析平台。该平台集市场领先的 SAP 数据整合产品、数据管理产品和商务智能 (BI) 产品于一身,可消除系统集成难题,快速、轻松地部署高性能的商务分析软件。 SAP BusinessObjects Business Intelligence Platform CMC application 420和430版本存在跨站脚本漏洞,该漏洞源于其对用户控制的输入进行了不适当
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
SAPBusinessObjects Business Intelligence Platform (Central management console) 420 -

II. Public POCs for CVE-2023-0018

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2023-0018

登录查看更多情报信息。

Same Patch Batch · SAP · 2023-01-10 · 9 CVEs total

CVE-2023-00169.9 CRITICALSQL Injection vulnerability in SAP Business Planning and Consolidation MS
CVE-2023-00229.9 CRITICALCode Injection vulnerability in SAP BusinessObjects Business Intelligence platform (Analys
CVE-2023-00179.4 CRITICALImproper access control in SAP NetWeaver AS for Java
CVE-2023-00149.0 CRITICALCapture-replay vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform
CVE-2023-00126.4 MEDIUMLocal Privilege Escalation in SAP Host Agent (Windows)
CVE-2023-00136.1 MEDIUMCross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform
CVE-2023-00154.6 MEDIUMCross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence (Web
CVE-2023-00234.5 MEDIUMInformation Disclosure in SAP Bank Account Management (Manage Banks)

IV. Related Vulnerabilities

Same vendor: SAP
Same weakness: CWE-79

V. Comments for CVE-2023-0018

No comments yet

Leave a comment