CVE-2026-24325
📋 TL;DR
This stored XSS vulnerability in SAP BusinessObjects Enterprise allows admin users to inject malicious JavaScript into web pages. When other users visit compromised pages, the script executes in their browser context. Only admin users can exploit this vulnerability, limiting the attack surface.
💻 Affected Systems
- SAP BusinessObjects Enterprise
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Admin user could steal session cookies, redirect users to malicious sites, or perform actions on behalf of other users, potentially leading to data theft or account compromise.
Likely Case
Admin user could deface pages, display misleading information, or capture limited user data through client-side attacks.
If Mitigated
With proper input validation and output encoding, the vulnerability would be prevented entirely.
🎯 Exploit Status
Exploitation requires admin privileges and knowledge of vulnerable input fields
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check SAP Note 3697256 for specific patch versions
Vendor Advisory: https://me.sap.com/notes/3697256
Restart Required: Yes
Instructions:
1. Review SAP Note 3697256 for specific patch details
2. Apply the security patch from SAP Support Portal
3. Restart SAP BusinessObjects services
4. Verify the fix by testing previously vulnerable inputs
🔧 Temporary Workarounds
Input Validation Enhancement
allImplement additional input validation and output encoding for user-controlled fields
Custom implementation required based on application code
Content Security Policy
allImplement CSP headers to restrict script execution
Add 'Content-Security-Policy' header to web server configuration
🧯 If You Can't Patch
- Restrict admin privileges to trusted personnel only
- Implement web application firewall with XSS protection rules
🔍 How to Verify
Check if Vulnerable:
Test user-controlled input fields for proper output encoding by attempting to inject script tagsCheck Version:
Check SAP BusinessObjects version through Central Management Console or via command: 'java -version' for Java-based componentsVerify Fix Applied:
After patching, attempt XSS payload injection in previously vulnerable fields and verify scripts do not execute📡 Detection & Monitoring
Log Indicators:
- Unusual admin activity modifying web content
- JavaScript payloads in input fields in application logs
Network Indicators:
- Unexpected script tags in HTTP requests to BusinessObjects endpoints
SIEM Query:
source="businessobjects" AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=")