Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Due to insufficient CSRF protection in SAP BusinessObjects Business Intelligence Platform ,an authenticated user could be tricked by an attacker to send unintended requests to the web server. This has low impact on integrity and availability of the application. There is no impact on confidentiality of the data.
AnalysisAI
Cross-site request forgery (CSRF) in SAP BusinessObjects Business Intelligence Platform allows unauthenticated attackers to trick authenticated users into sending unintended requests to the web server, resulting in low-impact modifications to application integrity and availability. The vulnerability requires user interaction (clicking a malicious link) and affects all versions of the platform due to insufficient CSRF token validation. No confidentiality impact is present, limiting the attack surface to state-changing operations.
Technical ContextAI
SAP BusinessObjects Business Intelligence Platform is a web-based business analytics and reporting application. The vulnerability stems from inadequate cross-site request forgery (CSRF) protections in the web interface, classified under CWE-352 (Cross-Site Request Forgery). CSRF attacks exploit the trust a web browser places in authenticated sessions by inducing users to perform unintended actions without their knowledge. In this case, the platform lacks or improperly implements synchronizer tokens, SameSite cookie attributes, or other anti-CSRF mechanisms. The CPE indicates all versions of SAP BusinessObjects BI Platform are affected, suggesting the flaw exists across the product line without version-specific limits.
RemediationAI
Apply the security patch released by SAP as documented in SAP Note 3667593 and announced via the SAP Security Patch Day program (referenced at https://url.sap/sapsecuritypatchday). Specific patch version numbers are not provided in available references; consult the SAP note directly for exact update versions. In addition to patching, implement CSRF mitigations: enforce SameSite=Strict or SameSite=Lax cookie attributes on session cookies to prevent cross-site request inclusion, deploy Content Security Policy (CSP) headers to restrict form submissions to same-origin, implement double-submit cookie patterns if available in the application, and enable CSRF tokens on all state-changing operations. For organizations unable to patch immediately, restrict BusinessObjects BI Platform access to internal networks only using firewall rules or VPN requirements, reducing exposure to cross-site attacks originating from external web pages. Monitor for unusual cross-origin requests in access logs and educate users to avoid clicking links from untrusted sources while authenticated to BI Platform.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29369
GHSA-c3wc-2h7r-75f9