Blog: Vulnerability Advisory
XSS in SAP BI Documents
|Title||Security Note||CVSS3 Base Score||CVSS3 Base Vector|
|Cross-Site Scripting (XSS) vulnerability in BI Documents||2274286||5.4||NLLR|C|LLN|
The details for security note 2274286 should be accessible here for SAP customers:
The version tested was 126.96.36.1995.
XSS can also be triggered when creating a BI Workspace in the Viewer module – > content -> document to view -> All folders. For example, create a filename with the following string in it:
The same issue is in “Document to View” option of Public Modules as well.
2. CVSS Score
SAP have given the base CVSS 3 score as 5.4. We feel this is reasonable.
Review the security note and apply the relevant patch.
27/01/2016 SAP informed
27/01/2016 SAP respond
12/04/2016 Advisory/patch published
12/07/2016 More detailed advisory/patch published