CVE-2024-28165
📋 TL;DR
SAP Business Objects Business Intelligence Platform contains a stored cross-site scripting (XSS) vulnerability in the Opendocument URL parameter. Attackers can inject malicious scripts that execute when users access manipulated documents, potentially compromising user sessions and data integrity. This affects all organizations running vulnerable versions of SAP Business Objects BI Platform.
💻 Affected Systems
- SAP Business Objects Business Intelligence Platform
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, hijack user sessions, manipulate or exfiltrate sensitive business intelligence data, and perform actions on behalf of authenticated users.
Likely Case
Attackers would steal session cookies or authentication tokens to impersonate legitimate users, potentially accessing confidential business reports and data.
If Mitigated
With proper input validation and output encoding, the malicious scripts would be rendered harmless as text rather than executable code.
🎯 Exploit Status
Exploitation requires the attacker to have access to create or modify documents with malicious parameters, but the XSS payload execution is straightforward once the document is accessed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply SAP Security Note 3431794
Vendor Advisory: https://me.sap.com/notes/3431794
Restart Required: Yes
Instructions:
1. Download SAP Note 3431794 from the SAP Support Portal
2. Apply the security patch according to SAP's standard patching procedures
3. Restart the SAP Business Objects services
4. Verify the fix by testing the Opendocument functionality
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side input validation to sanitize Opendocument URL parameters
Configure web application firewall rules to block suspicious parameter patterns
Implement input validation in custom code that processes Opendocument requests
Content Security Policy
allImplement strict Content Security Policy headers to mitigate XSS impact
Add 'Content-Security-Policy: default-src 'self'; script-src 'self'' to HTTP responses
🧯 If You Can't Patch
- Implement strict input validation and output encoding for all Opendocument parameters
- Restrict document creation/modification permissions to trusted users only
- Monitor for suspicious parameter patterns in application logs
- Use web application firewall with XSS protection rules
🔍 How to Verify
Check if Vulnerable:
Test by attempting to inject script payloads into Opendocument URL parameters and checking if they execute when the document is accessed.Check Version:
Check SAP Business Objects version through the Central Management Console or via command: 'java -version' for Java-based componentsVerify Fix Applied:
After applying SAP Note 3431794, test the same XSS payloads to confirm they are properly sanitized and do not execute.📡 Detection & Monitoring
Log Indicators:
- Unusual parameter values in Opendocument URLs
- Multiple failed XSS attempts in web server logs
- Suspicious document access patterns
Network Indicators:
- HTTP requests with script tags or JavaScript in URL parameters
- Unusual outbound connections from BI Platform servers
SIEM Query:
source="web_server_logs" AND (url="*opendocument*" AND (param="*<script>*" OR param="*javascript:*"))