4 XSS flaws in SAP BusinessObjects Suite allow ransomware attacks on business users

A group of information security experts found a set of vulnerabilities in the SAP BusinessObjects suite, an intelligence platform targeting business users. This solution consists of a series of reporting applications that enable users to discover data, perform analytics to learn, and report on business plans.

Successful exploitation of these vulnerabilities would allow the deployment of multiple malicious scenarios, such as cross-site script execution, among others. Below are brief descriptions of reported flaws, in addition to their respective scores and identification keys according to the Common Vulnerability Scoring System (CVSS).

CVE-2020-628: Insufficient debugging of user-provided data within the BI Launchpad component would allow threat actors to perform cross-site scripting (XSS) attacks by using arbitrary HTML in the context of the vulnerable user’s browser.

This is a low severity flaw that received a score of 5.3/10.

CVE-2020-6276: Insufficient disinfection of user-provided data within the bipodata component would allow malicious hackers to deploy XSS attacks in the context of a vulnerable website.

Successful exploitation of this flaw would lead to the theft of confidential information from the target system, modification of the appearance of the website, deployment of phishing attacks, among other attack variants. The flaw received a 5.3/10 score on the CVSS scale.

CVE-2020-6278: This flaw exists due to insufficient disinfection of user-provided data within the BI Launchpad and CMC components, leading to XSS attacks in the context of a vulnerable website. The vulnerability also received a CVSS score of 5.3/10.

CVE-2020-6222: Insufficient disinfection of user input within the Web Intelligence HTML interface enables the deployment of XSS attacks. Remote hackers should only trick the target user into executing arbitrary HTML and completing the attack.

The flaw received a score of 5.3/10.

Although these flaws can be exploited remotely by unauthenticated threat actors, researchers have not detected attempts at active exploitation or any malware variant associated with the attack.

SAP has just confirmed that patches to fix vulnerabilities are already available, so users of affected deployments should only verify their installation. Additional details are available on the company’s official platforms.