CVE-2019-0376: XSS
First published: Tue Oct 08 2019(Updated: )
SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), before versions 4.2 and 4.3, does not sufficiently encode user-controlled inputs and allows an attacker to save malicious scripts in the publication name, which can be executed later by the victim, resulting in Stored Cross-Site Scripting.
Credit: cna@sap.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| SAP BusinessObjects BI Platform | =4.0 | |
| SAP BusinessObjects BI Platform | =4.1 | |
| SAP BusinessObjects BI Platform | =4.1-sp10 | |
| SAP BusinessObjects BI Platform | =4.1-sp11 | |
| SAP BusinessObjects BI Platform | =4.1-sp12 | |
| SAP BusinessObjects BI Platform | =4.2-sp04 | |
| SAP BusinessObjects BI Platform | =4.2-sp05 | |
| SAP BusinessObjects BI Platform | =4.2-sp06 | |
| SAP BusinessObjects BI Platform | =4.2-sp07 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID of this SAP BusinessObjects Business Intelligence Platform vulnerability?
The vulnerability ID is CVE-2019-0376.
What is the severity rating of CVE-2019-0376?
The severity rating of CVE-2019-0376 is medium with a CVSS score of 5.4.
What versions of SAP BusinessObjects Business Intelligence Platform are affected by CVE-2019-0376?
Versions 4.0, 4.1, 4.1-sp10, 4.1-sp11, 4.1-sp12, 4.2-sp04, 4.2-sp05, 4.2-sp06, and 4.2-sp07 of SAP BusinessObjects Business Intelligence Platform are affected by CVE-2019-0376.
How does CVE-2019-0376 impact the SAP BusinessObjects Business Intelligence Platform?
CVE-2019-0376 allows an attacker to save malicious scripts in the publication name, which can be executed later by the victim.
Are there any official references for CVE-2019-0376?
Yes, you can find official references for CVE-2019-0376 at the following links: [SAP Note 2817945](https://launchpad.support.sap.com/#/notes/2817945) and [SAP SCN Wiki](https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=528123050).
- agent/references
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/weakness
- agent/severity
- agent/last-modified-date
- agent/first-publish-date
- agent/description
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/sap
- canonical/sap businessobjects bi platform
- version/sap businessobjects bi platform/4.0
- version/sap businessobjects bi platform/4.1
- version/sap businessobjects bi platform/4.1-sp10
- version/sap businessobjects bi platform/4.1-sp11
- version/sap businessobjects bi platform/4.1-sp12
- version/sap businessobjects bi platform/4.2-sp04
- version/sap businessobjects bi platform/4.2-sp05
- version/sap businessobjects bi platform/4.2-sp06
- version/sap businessobjects bi platform/4.2-sp07