This SAP Security Note addresses several vulnerabilities identified in SAP Business Objects Business Intelligence Platform. The vulnerability details along with their CVE relevant information can be found below.

Information Disclosure :
The vulnerability is identified in BILaunchpad/CMC. Passwords submitted to the application are returned in clear form in later responses from the application.

• CVE-2020-6195
• CVSS: 6.4; CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

URL Redirection :
AdminTools of SAP BI allows an attacker to redirect users to a malicious site due to insufficient URL validation.

• CVE-2020-6211
• CVSS: 6.1; CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Some well-known impacts of URL Redirection vulnerability are –

• Phishing attacks to steal credentials of the victim   
• Redirect users to untrusted webpages containing malware or similar malicious exploits.

Content Spoofing :
The open document area allows an attacker to modify certain error pages to include malicious content. This can misdirect a user who is tricked into accessing these error pages rendered by the application.

• CVE-2020-6223
• CVSS: 6.1; CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

XSS :

The below mentioned applications do not sufficiently encode user-controlled inputs resulting in respective XSS issues. The individual CVSS scores and CVEs of the vulnerabilities can be found below.

Stored & Reflected XSS : Web Intelligence HTML interface

• CVE-2020-6221
• CVSS: 5.4; CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Information Disclosure : AdminTools/Query Builder

• CVE-2020-6218
• CVSS: 5.0; CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Reflected XSS : SAP BusinessObjects BI and CMC

• CVE-2020-6220
• CVSS: 4.4; CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

Impacts of XSS:

• Non-permanently deface or modify displayed content from a Web site
• Steal authenticated information of the user, such as data relating to his or her current session
• Impersonate the user and access all information with the same rights as the target user