Blog: Vulnerability Advisory

XSS in SAP BI Documents

Jamie Riden 12 Jul 2016

sapxss

Reference PTP-2016-002

1. Description

Title Security Note CVSS3 Base Score CVSS3 Base Vector
Cross-Site Scripting (XSS) vulnerability in BI Documents 2274286 5.4 NLLR|C|LLN

The details for security note 2274286 should be accessible here for SAP customers:
https://websmp230.sap-ag.de/sap/support/notes/2274286

The version tested was 14.1.6.1805.

It’s possible to cause a persistent XSS in the Web page module bit of the “new workspace”, by providing a javascript URI instead of HTTP.

XSS can also be triggered when creating a BI Workspace in the Viewer module – > content -> document to view -> All folders. For example, create a filename with the following string in it:

SAP1

The same issue is in “Document to View” option of Public Modules as well.

2. CVSS Score

SAP have given the base CVSS 3 score as 5.4. We feel this is reasonable.

3. Resolution

Review the security note and apply the relevant patch.

Vulnerability Timeline

27/01/2016 SAP informed

27/01/2016 SAP respond

12/04/2016 Advisory/patch published

12/07/2016 More detailed advisory/patch published