The Fiori Launchpad of SAP BusinessObjects, before versions 4.2 and 4.3, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
SAP BusinessObjects, versions 4.2 and 4.3, (Visual Difference) allows an attacker to upload any file (including script files) without proper file format validation.
Cross Site Scripting
SAP BusinessObjects BI 4.2
SAP BusinessObjects BI 4.3
Apply SAP Notes 2727564 and 2638175.