Skip to main content

SAP BusinessObjects Business Intelligence Platform EUVDEUVD-2026-29369

| CVE-2026-0502 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-05-12 sap GHSA-c3wc-2h7r-75f9
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
May 12, 2026 - 03:15 vuln.today
CVE Published
May 12, 2026 - 02:19 nvd
MEDIUM 5.4

DescriptionCVE.org

Due to insufficient CSRF protection in SAP BusinessObjects Business Intelligence Platform ,an authenticated user could be tricked by an attacker to send unintended requests to the web server. This has low impact on integrity and availability of the application. There is no impact on confidentiality of the data.

AnalysisAI

Cross-site request forgery (CSRF) in SAP BusinessObjects Business Intelligence Platform allows unauthenticated attackers to trick authenticated users into sending unintended requests to the web server, resulting in low-impact modifications to application integrity and availability. The vulnerability requires user interaction (clicking a malicious link) and affects all versions of the platform due to insufficient CSRF token validation. No confidentiality impact is present, limiting the attack surface to state-changing operations.

Technical ContextAI

SAP BusinessObjects Business Intelligence Platform is a web-based business analytics and reporting application. The vulnerability stems from inadequate cross-site request forgery (CSRF) protections in the web interface, classified under CWE-352 (Cross-Site Request Forgery). CSRF attacks exploit the trust a web browser places in authenticated sessions by inducing users to perform unintended actions without their knowledge. In this case, the platform lacks or improperly implements synchronizer tokens, SameSite cookie attributes, or other anti-CSRF mechanisms. The CPE indicates all versions of SAP BusinessObjects BI Platform are affected, suggesting the flaw exists across the product line without version-specific limits.

RemediationAI

Apply the security patch released by SAP as documented in SAP Note 3667593 and announced via the SAP Security Patch Day program (referenced at https://url.sap/sapsecuritypatchday). Specific patch version numbers are not provided in available references; consult the SAP note directly for exact update versions. In addition to patching, implement CSRF mitigations: enforce SameSite=Strict or SameSite=Lax cookie attributes on session cookies to prevent cross-site request inclusion, deploy Content Security Policy (CSP) headers to restrict form submissions to same-origin, implement double-submit cookie patterns if available in the application, and enable CSRF tokens on all state-changing operations. For organizations unable to patch immediately, restrict BusinessObjects BI Platform access to internal networks only using firewall rules or VPN requirements, reducing exposure to cross-site attacks originating from external web pages. Monitor for unusual cross-origin requests in access logs and educate users to avoid clicking links from untrusted sources while authenticated to BI Platform.

Share

EUVD-2026-29369 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy