High-privileged users can inject malicious URLs into the SAP BusinessObjects BI Platform, potentially facilitating phishing attacks or redirecting users to malicious sites.

This vulnerability allows an authenticated attacker with high privileges to insert malicious URLs within the application. This is likely due to insufficient input validation in fields that display links to other users.

With a CVSS score of 7.3 (High), the primary risk is the exploitation of trust. An attacker could redirect other users (including administrators) to a credential-harvesting site or deliver malware. While it requires high privileges to execute, it can be used for lateral movement or to compromise the workstations of other platform users.

Immediate Action: Apply the vendor-provided security updates for SAP BusinessObjects immediately.

Proactive Monitoring: Audit application content for the presence of suspicious external URLs or links that do not conform to corporate domains.

Compensating Controls: Use a secure web gateway to block access to known malicious domains and implement browser-based protections to alert users when they are being redirected to external sites.

Public Exploit Available: false

While this vulnerability requires high privileges, it should not be ignored. Organizations should apply the patch promptly and ensure that administrative access to the BI platform is strictly controlled and monitored to prevent internal abuse.