CVE-2019-0396
HIGHSAP BusinessObjects Business Intelligence Platform - XML External Entity Injection in Web Intelligence HTML Interface
Title source: llmDescription
SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), corrected in versions 4.1 and 4.2, does not sufficiently validate an XML document accepted from an untrusted source. An attacker can craft a message that contains malicious elements that will not be correctly filtered by Web Intelligence HTML interface in some specific workflows.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_misc
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=528880390
Permissions Required, Vendor Advisory x_refsource_misc
https://launchpad.support.sap.com/#/notes/2814007
Scores
CVSS v3
7.1
EPSS
0.0043
EPSS Percentile
62.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
Details
CWE
CWE-20
Status
published
Products (2)
sap/businessobjects_business_intelligence_platform
4.0
sap/businessobjects_business_intelligence_platform
4.1 sp10 (3 CPE variants)
Published
Nov 13, 2019
Tracked Since
Feb 18, 2026