CVE-2023-0018 (businessobjects_business_intelligence_platform)

Due to improper input sanitization of user-controlled input in SAP BusinessObjects Business Intelligence Platform CMC application - versions 420, and 430, an attacker with basic user-level privileges can modify/upload crystal reports containing a malicious payload. Once these reports are viewable, anyone who opens those reports would be susceptible to stored XSS attacks. As a result of the attack, information maintained in the victim's web browser can be read, modified, and sent to the attacker.

application attack attacks basic browser business business intelligence crystal cve information input intelligence malicious payload platform privileges reports result sap stored xss victim web web browser xss