Vigil@nce - SAP BusinessObjects: Cross Site Scripting via InfoView
March 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can create three Cross Site Scripting in the InfoView
module of SAP BusinessObjects.
Severity: 2/4
Creation date: 09/03/2012
IMPACTED PRODUCTS
– BusinessObjects
– SAP Crystal Enterprise
– SAP Crystal Reports
DESCRIPTION OF THE VULNERABILITY
The SAP BusinessObjects InfoView product can for exemple be used
to access to Crystal Reports data. This product is impacted by
three vulnerabilities.
The listing.aspx page does not filter its posted "searchText"
parameter. [severity:2/4]
The helpredir.aspx page does not filter its "guide" parameter.
[severity:2/4]
The webi_modify.aspx page does not filter its "id" parameter.
[severity:2/4]
An attacker can therefore create three Cross Site Scripting in the
InfoView module of SAP BusinessObjects.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/SAP-BusinessObjects-Cross-Site-Scripting-via-InfoView-11412