CVE-2013-6234

HIGH

SpagoBI < 4.1 - Authenticated Arbitrary File Upload via Worksheet Designer

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2013-6234. PoCs published by Christian Catalano.

AI-analyzed exploit summary The document describes a stored XSS vulnerability in SpagoBI 4.0 due to unrestricted file upload in the Worksheet designer function, allowing attackers to upload malicious HTML files. The PoC demonstrates uploading an HTML file with embedded JavaScript to trigger an alert.

Description

Unrestricted file upload vulnerability in the Worksheet designer in SpagoBI before 4.1 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory, aka "XSS File Upload."

Exploits (1)

exploitdb WRITEUP
by Christian Catalano · textwebappsphp
https://www.exploit-db.com/exploits/32040

The document describes a stored XSS vulnerability in SpagoBI 4.0 due to unrestricted file upload in the Worksheet designer function, allowing attackers to upload malicious HTML files. The PoC demonstrates uploading an HTML file with embedded JavaScript to trigger an alert.

Classification
Writeup 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: SpagoBI 4.0
Auth required
Prerequisites: Access to a restricted SpagoBI account (e.g., Business User Account)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/125497
Third Party Advisory, VDB Entry x_refsource_misc
http://www.exploit-db.com/exploits/32040
Third Party Advisory, VDB Entry x_refsource_misc
https://exchange.xforce.ibmcloud.com/vulnerabilities/91504

Scores

CVSS v3 8.0
EPSS 0.0671
EPSS Percentile 93.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-434
Status published
Products (1)
eng/spagobi < 4.1
Published Nov 22, 2019
Tracked Since Feb 18, 2026