CVE-2023-42478: 
SAP BusinessObjects Business Intelligence Platform vulnerability analysis and mitigation

SAP Business Objects Business Intelligence Platform versions 420 and 430 contain a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2023-42478. The vulnerability was disclosed on December 11, 2023, and allows attackers to upload agnostic documents that, when opened by other users, could compromise the application's integrity (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 7.6 (High) by NIST with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N. SAP's own assessment rated it at 7.5 (High) with the vector CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:H/A:L. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

The vulnerability can lead to high impact on the integrity of the application when exploited. It allows for stored XSS attacks that can compromise confidentiality of data at a low level and integrity at a high level, while the availability impact is negligible according to the CVSS metrics (NVD).

SAP has released security patches for the affected versions (420 and 430) of Business Objects Business Intelligence Platform. Users are advised to apply these updates to mitigate the vulnerability (SAP Security Note).