SAP Knowledge Base Article - Preview

2013866 - XSS (Cross-Site Scripting) vulnerability in XI 3.1 SP5 for the URL http://<server>:<port>/InfoViewAppActions/jsp

Symptom

  • XSS - Cross-site Scripting (Post Authentication) :
  • The application is vulnerable to cross-site scripting after authentication. The script does not properly
    validate the input parameters, allowing scripts to be injected and then used to compromise client's
    confidential information, such as the Session ID. In addition, more sophisticated phishing attacks make use of this vulnerability to even trick security aware users.
  • Seen when </script><script>alert1</script> is added in Infoview URL post login of the user.


Read more...

Environment

  • SAP BusinessObjects XI 3.1 Service Pack 5
  • Third party app scan tool used: BURP

Product

SAP BusinessObjects Enterprise XI 3.0

Keywords

injection, sql,error,cross,fix,issue,release,version,bug,cross,site,script,aix,solaris , KBA , BI-BIP-ADM , BI Servers, security, Crystal Reports in Launchpad , Bug Filed

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.