CVE-2024-28165 Overview
CVE-2024-28165 is a stored Cross-Site Scripting (XSS) vulnerability affecting the SAP BusinessObjects Business Intelligence Platform. The vulnerability exists within the Opendocument URL parameter handling, allowing attackers to inject malicious scripts that persist within the application. When successfully exploited, this vulnerability enables unauthorized access to sensitive data and manipulation of application content, posing significant risks to enterprise business intelligence environments.
Critical Impact
Successful exploitation allows attackers to execute arbitrary JavaScript in victim browsers, potentially leading to session hijacking, credential theft, and unauthorized data access within the SAP BusinessObjects environment.
Affected Products
- SAP BusinessObjects Business Intelligence Platform version 430
- SAP BusinessObjects Business Intelligence Platform version 440
Discovery Timeline
- May 14, 2024 - CVE-2024-28165 published to NVD
- October 23, 2025 - Last updated in NVD database
Technical Details for CVE-2024-28165
Vulnerability Analysis
This stored XSS vulnerability (CWE-79) resides in the Opendocument URL handling mechanism of SAP BusinessObjects Business Intelligence Platform. The platform fails to properly sanitize user-supplied input within certain URL parameters, allowing attackers to inject malicious JavaScript code that becomes stored within the application. Unlike reflected XSS, stored XSS payloads persist in the target application's database or storage, executing whenever a user accesses the affected resource.
The vulnerability requires user interaction—a victim must navigate to the compromised URL or view the stored malicious content. However, the scope is changed, meaning the vulnerability can impact resources beyond the vulnerable component itself, potentially affecting other applications or user sessions within the same security context.
Root Cause
The root cause stems from insufficient input validation and output encoding in the Opendocument URL parameter processing. The application accepts user-controlled input without properly sanitizing special characters or encoding output when rendering content to the browser. This allows HTML and JavaScript code to be injected and executed in the context of the victim's authenticated session.
Attack Vector
The attack is network-accessible, requiring no authentication or special privileges from the attacker. An adversary crafts a malicious Opendocument URL containing JavaScript payloads embedded within the vulnerable parameter. When this URL is accessed by victims or when the stored payload is triggered, the malicious script executes within the user's browser context.
The attack typically proceeds as follows: the attacker identifies the vulnerable URL parameter, crafts a payload containing malicious JavaScript (such as session token exfiltration or DOM manipulation code), and either distributes the URL to potential victims or stores the payload within the application for persistent execution.
Detection Methods for CVE-2024-28165
Indicators of Compromise
- Unusual JavaScript or HTML tags appearing in Opendocument URL parameters within web server logs
- Unexpected outbound network connections from user browsers to external domains during SAP BusinessObjects sessions
- Reports of suspicious behavior or unauthorized actions within the SAP BusinessObjects platform
- Anomalous HTTP requests containing encoded script content targeting BusinessObjects endpoints
Detection Strategies
- Deploy web application firewall (WAF) rules to detect and block XSS payloads in URL parameters
- Enable detailed logging for SAP BusinessObjects web tier components to capture URL parameter values
- Implement browser-based XSS detection using Content Security Policy (CSP) violation reporting
- Review application logs for patterns consistent with XSS exploitation attempts
Monitoring Recommendations
- Monitor HTTP request logs for encoded script tags (<script>, javascript:, onerror=) in URL parameters
- Configure SIEM rules to alert on potential XSS indicators targeting SAP BusinessObjects endpoints
- Implement real-time monitoring of outbound connections initiated during authenticated user sessions
- Audit user activity logs for unexpected actions that may indicate compromised sessions
How to Mitigate CVE-2024-28165
Immediate Actions Required
- Apply the security patch referenced in SAP Security Note #3431794 immediately
- Review access logs for evidence of exploitation attempts targeting Opendocument URLs
- Consider restricting access to the SAP BusinessObjects platform until patches are applied
- Notify users to avoid clicking unfamiliar links to the BusinessObjects platform
Patch Information
SAP has released a security patch addressing this vulnerability. Administrators should obtain and apply the fix documented in SAP Security Note #3431794. The patch implements proper input validation and output encoding for the affected Opendocument URL parameters. Organizations should prioritize patching SAP BusinessObjects Business Intelligence Platform versions 430 and 440 as these are confirmed to be vulnerable.
For complete security guidance, refer to the SAP Security Notes Overview for the latest advisories and updates.
Workarounds
- Implement a web application firewall (WAF) with XSS detection rules in front of SAP BusinessObjects
- Deploy Content Security Policy (CSP) headers to restrict script execution to trusted sources only
- Restrict network access to the SAP BusinessObjects platform to trusted internal users only
- Consider disabling or restricting access to Opendocument functionality if not business-critical until patching is complete
# Example: Configure strict Content Security Policy headers at the web server level
# Apache HTTP Server configuration
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; frame-ancestors 'self'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
