CVE-2023-42474
DOM-Based Cross-Site Scripting
6.8 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
SAP Business Objects
SAP BusinessObjects Web Intelligence - version 420
Bartosz Ĺmigielski (glasn0st)
SAP BusinessObjects version 420 is vulnerable to DOM-XSS attack. An attacker can inject a URL into the skin GET parameter, injecting scripts from the given URL into the application. To exploit the vulnerability, access to the application is not required as the attack vector is a GET parameter. However, to find the bug, a low privilege account might be needed.
In order to reproduce the vulnerability, an attacker has to set up a HTTP server. For example, python http.server module. Webserver should serve a prototype.js file which contains malicious JavaScript code. For the sake of proving the concept, simple alert will go.
After running http server, go to URL:
https://(SAP Business Objects URL)/AnalyticalReporting/webiDHTML/viewer/language/en/html/printWindow.html?skin=[inject]
Replace (SAP Business Objects URL) with address of your application and [inject] with URL for your webserver.
After visiting the page, JavaScript code from the file served is executed.
- 20-07-2023 - Vulnerability reported to vendor
- 24-07-2023 - First response from SAP
- 05-10-2023 - Vulnerability fixed during October patch day
- 10-10-2023 - Acknowledge from SAP on their website
- 30-05-2025 - PoC published