CVE-2023-42472
Insufficient File type validation in the Web Intelligence module
8.7 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
SAP BusinessObjects Business Intelligence Platform
ENTERPRISE 420
Bartosz Ĺmigielski
Due to insufficient file type validation, SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML module) - version 420, allows a report creator to upload files from local system into the report over the network. When uploading the image file, an authenticated attacker could intercept the request, modify the content type and the extension to read and modify sensitive data causing a high impact on confidentiality and integrity of the application.
To reproduce the vulnerability, an attacker has to:
- Prepare malicious HTML file, for example containing script tag with JavaScript code to attack application users.
- Login into the application.
- Open a report, press right click and go to Format -> Appearance and check "Image" radio button.
- Upload proper image file and intercept the request in proxy of your choice, eg. Burp Suite.
- Edit Content-Type header of uploaded file to image/jpg, text/html and change extension to .jpg. File gets uploaded successfully.
- Note entry ID received from the server (that one starts with
we[...]and string that starts withbores://. - Go to address:
https://(SAP Business Objects URL)/webiDHTML/viewer/getImage.jsp?sEntry=we[....]&name=bores://&appKind=InfoView&generated=true - Replacing
we[...]with entry ID and name parameter value with thatbores://string received before. - Uploaded HTML file gets rendered and executed.
- 20-07-2023 - Vulnerability reported to vendor
- 12-09-2023 - Security advisory is published by the vendor
- 15-10-2025 - PoC published