Engineering Ingegneria Informatica SpagoBI
Moderate fix1 remedy
cpe:2.3:a:eng:spagobi:*:*:*:*:*:*:*
Moderate fix1 remedy
- <= 3.5.1
SpagoBI Stored Cross-Site Scripting Vulnerability
Vulnerability
Patched
A stored cross-site scripting vulnerability has been identified in SpagoBI version 3.5.1. This issue resides within the worksheet designer function, specifically in the create and edit forms, where user input is not properly sanitized, allowing for the injection of malicious scripts.
Impact
Exploitation of this vulnerability allows for the injection of JavaScript that is executed in the context of the user, potentially leading to cookie theft, privilege escalation, or execution of malicious actions such as downloading harmful files.
Reproduction
To reproduce this vulnerability, log into the application with sufficient permissions to access the worksheet designer page. While editing a document, insert a payload consisting of an image tag with an 'onerror' event. Alternatively, when saving a file, include the same payload in the filename or information fields. After saving, visit the home or worksheet designer page, where the injected script will be executed, triggering an alert.
Remediation
Users are advised to update to the latest version of SpagoBI.
Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM
Vulnerability Rating
Custom Algorithm
spread
0.8impact
1.7exploitability
6.3remediation
7.7relevance
0.0threat
6.4urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.