CVE-2026-27683
Cross-Site Scripting in SAP BusinessObjects BI via Crafted URLs
Publication date: 2026-04-14
Last updated on: 2026-04-14
Assigner: SAP SE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sap | businessobjects_business_intelligence | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the SAP BusinessObjects Business Intelligence application and allows an authenticated attacker to inject malicious JavaScript payloads through specially crafted URLs.
When a victim accesses such a crafted URL, the injected script executes in the user's browser.
This can lead to exposure of restricted information.
How can this vulnerability impact me? :
The vulnerability can impact you by exposing restricted information to unauthorized parties when a user accesses a maliciously crafted URL.
The impact on confidentiality is considered low.
There is no impact on data integrity or system availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an authenticated attacker to inject malicious JavaScript payloads that execute in a user's browser, potentially exposing restricted information. Such exposure of restricted or personal data could impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding confidentiality of sensitive information.
However, the impact on confidentiality is considered low, and there is no impact on integrity or availability. Organizations should assess the risk of information exposure due to this vulnerability in the context of their compliance requirements and implement appropriate mitigations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves injection of malicious JavaScript payloads through crafted URLs in the SAP BusinessObjects Business Intelligence application. Detection can focus on monitoring for suspicious or unusual URL patterns that include JavaScript code or payloads.
You can detect potential exploitation attempts by inspecting web server logs or network traffic for URLs containing suspicious script tags or encoded JavaScript payloads.
Example commands to search for suspicious URLs in logs might include:
- Using grep to find URLs with script tags: grep -iE 'script|<script>' /path/to/access.log
- Using grep to find URLs with suspicious JavaScript payloads: grep -iE 'javascript:' /path/to/access.log
- Using network monitoring tools to inspect HTTP requests for suspicious URL parameters containing JavaScript.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediate steps include:
- Ensure that only authenticated and authorized users have access to the SAP BusinessObjects Business Intelligence application.
- Educate users to avoid clicking on suspicious or untrusted URLs that may contain malicious JavaScript payloads.
- Implement input validation and output encoding on the application side to prevent injection of malicious scripts.
- Monitor and analyze logs for suspicious URL access patterns as a proactive detection measure.
- Apply any available patches or updates from SAP addressing this vulnerability as soon as they are released.