CVE-2023-42476

SAP Business Objects Web Intelligence - version 420, allows an authenticated attacker to inject JavaScript code into Web Intelligence documents which is then executed in the victim’s browser each time the vulnerable page is visited. Successful exploitation can lead to exposure of the data that the user has access to. In the worst case, attacker could access data from reporting databases.

CVSS v3 6.8 MEDIUM

6.8^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.3 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://me.sap.com/notes/3382353	Permissions Required
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:sap:businessobjects_web_intelligence:420:*:*:*:*:*:*:*

History

14 Dec 2023, 00:07

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-12-12 01:15

Updated : 2024-02-28 20:54

NVD link : CVE-2023-42476

Mitre link : CVE-2023-42476

CVE.ORG link : CVE-2023-42476

JSON object : View

Products Affected

sap

businessobjects_web_intelligence

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2023-42476", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 2.3}, {"type": "Secondary", "source": "cna@sap.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 2.3}]}, "published": "2023-12-12T01:15:10.410", "references": [{"url": "https://me.sap.com/notes/3382353", "tags": ["Permissions Required"], "source": "cna@sap.com"}, {"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", "tags": ["Vendor Advisory"], "source": "cna@sap.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "cna@sap.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "SAP Business Objects Web Intelligence - version 420, allows an authenticated attacker to inject JavaScript code into Web Intelligence documents which is then executed in the victim\u2019s browser each time the vulnerable page is visited. Successful exploitation can lead to exposure of the data that the user has access to. In the worst case, attacker could access data from reporting databases.\n\n"}, {"lang": "es", "value": "SAP Business Objects Web Intelligence: versi\u00f3n 420, permite a un atacante autenticado inyectar c\u00f3digo JavaScript en documentos de Web Intelligence que luego se ejecuta en el navegador de la v\u00edctima cada vez que se visita la p\u00e1gina vulnerable. La explotaci\u00f3n exitosa puede llevar a la exposici\u00f3n de los datos a los que tiene acceso el usuario. En el peor de los casos, el atacante podr\u00eda acceder a datos de bases de datos de informes."}], "lastModified": "2023-12-14T00:07:10.443", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sap:businessobjects_web_intelligence:420:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "225BB1F4-1264-487B-A1F2-E862BE17A0E6"}], "operator": "OR"}]}], "sourceIdentifier": "cna@sap.com"}