Vulnerabilites related to sap - businessobjects
Vulnerability from fkie_nvd
Published
2018-04-10 15:29
Modified
2024-11-21 04:03
Severity ?
7.3 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
7.3 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
7.3 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Summary
Improper Session Management in SAP Business Objects, 4.0, from 4.10, from 4.20, 4.30, CMC/BI Launchpad/Fiorified BI Launchpad. In case of password change for a user, all other active sessions created using older password continues to be active.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | http://www.securityfocus.com/bid/103700 | Third Party Advisory, VDB Entry | |
| cna@sap.com | https://blogs.sap.com/2018/04/10/sap-security-patch-day-april-2018/ | Vendor Advisory | |
| cna@sap.com | https://launchpad.support.sap.com/#/notes/2537150 | Permissions Required | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/103700 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blogs.sap.com/2018/04/10/sap-security-patch-day-april-2018/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/2537150 | Permissions Required |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | businessobjects | 4.0 | |
| sap | businessobjects | 4.10 | |
| sap | businessobjects | 4.20 | |
| sap | businessobjects | 4.30 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:businessobjects:4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "71F0E7EB-FCFE-48AD-B8C3-5D411DF6BA07",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:businessobjects:4.10:*:*:*:*:*:*:*",
"matchCriteriaId": "D2ECC5D4-63AC-413D-854E-3A66A6342CBC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:businessobjects:4.20:*:*:*:*:*:*:*",
"matchCriteriaId": "4B943822-5002-4FA8-81C1-2174B519E060",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:businessobjects:4.30:*:*:*:*:*:*:*",
"matchCriteriaId": "ACFEFCB6-E0BF-4D9A-837C-1FF8635EA3FB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Session Management in SAP Business Objects, 4.0, from 4.10, from 4.20, 4.30, CMC/BI Launchpad/Fiorified BI Launchpad. In case of password change for a user, all other active sessions created using older password continues to be active."
},
{
"lang": "es",
"value": "Gesti\u00f3n incorrecta de sesi\u00f3n en SAP Business Objects, en su versi\u00f3n 4.0, desde la versi\u00f3n 4.20, 4.30, en CMC/BI Launchpad/Fiorified BI Launchpad. En el caso de que se cambie la contrase\u00f1a de un usuario, el resto de sesiones activas creadas con la contrase\u00f1a antigua seguir\u00e1n estando activas."
}
],
"id": "CVE-2018-2408",
"lastModified": "2024-11-21T04:03:45.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.4,
"source": "cna@sap.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-04-10T15:29:01.427",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/103700"
},
{
"source": "cna@sap.com",
"tags": [
"Vendor Advisory"
],
"url": "https://blogs.sap.com/2018/04/10/sap-security-patch-day-april-2018/"
},
{
"source": "cna@sap.com",
"tags": [
"Permissions Required"
],
"url": "https://launchpad.support.sap.com/#/notes/2537150"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/103700"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://blogs.sap.com/2018/04/10/sap-security-patch-day-april-2018/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required"
],
"url": "https://launchpad.support.sap.com/#/notes/2537150"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-384"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2010-10-18 17:00
Modified
2024-11-21 01:20
Severity ?
Summary
CmcApp in SAP BusinessObjects Enterprise XI 3.2 allows remote authenticated users to gain privileges via vectors involving the Program Job Server and the Program Login property.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | businessobjects | 3.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:businessobjects:3.2:*:enterprise_xi:*:*:*:*:*",
"matchCriteriaId": "224ED925-BF44-4C85-89B5-DC3A187AAE77",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "CmcApp in SAP BusinessObjects Enterprise XI 3.2 allows remote authenticated users to gain privileges via vectors involving the Program Job Server and the Program Login property."
},
{
"lang": "es",
"value": "CmcApp en SAP BusinessObjects Enterprise XI 3.2 permite a usuarios autenticados remotos escalar privilegios a trav\u00e9s de vectores que involucran el \"Program Job Server\" (servidor de trabajos de programa) y la propiedad \"Program Login\" (inicio de sesi\u00f3n de programa)."
}
],
"id": "CVE-2010-3983",
"lastModified": "2024-11-21T01:20:00.927",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2010-10-18T17:00:04.253",
"references": [
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/68682"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/68682"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-02-15 18:29
Modified
2024-11-21 04:16
Severity ?
Summary
The Fiori Launchpad of SAP BusinessObjects, before versions 4.2 and 4.3, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | http://www.securityfocus.com/bid/106993 | Third Party Advisory | |
| cna@sap.com | https://launchpad.support.sap.com/#/notes/2638175 | Permissions Required, Vendor Advisory | |
| cna@sap.com | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=510922943 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/106993 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/2638175 | Permissions Required, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=510922943 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | businessobjects | 4.2 | |
| sap | businessobjects | 4.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:businessobjects:4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "07B4BCC2-3F12-4A66-AF86-1C8C2B418B69",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:businessobjects:4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7445C0BF-43DD-4A04-83AF-2DDB7C393333",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Fiori Launchpad of SAP BusinessObjects, before versions 4.2 and 4.3, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability."
},
{
"lang": "es",
"value": "Fiori Launchpad en SAP BusinessObjects, en versiones anteriores a la 4.2 y 4.3, no cifra lo suficiente las entradas controladas por el usuario, lo que resulta en una vulnerabilidad Cross-Site Scripting (XSS)."
}
],
"id": "CVE-2019-0251",
"lastModified": "2024-11-21T04:16:35.030",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-02-15T18:29:00.287",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Third Party Advisory"
],
"url": "http://www.securityfocus.com/bid/106993"
},
{
"source": "cna@sap.com",
"tags": [
"Permissions Required",
"Vendor Advisory"
],
"url": "https://launchpad.support.sap.com/#/notes/2638175"
},
{
"source": "cna@sap.com",
"tags": [
"Vendor Advisory"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=510922943"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.securityfocus.com/bid/106993"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required",
"Vendor Advisory"
],
"url": "https://launchpad.support.sap.com/#/notes/2638175"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=510922943"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-02-15 18:29
Modified
2024-11-21 04:16
Severity ?
Summary
SAP BusinessObjects, versions 4.2 and 4.3, (Visual Difference) allows an attacker to upload any file (including script files) without proper file format validation.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | http://www.securityfocus.com/bid/106997 | Third Party Advisory | |
| cna@sap.com | https://launchpad.support.sap.com/#/notes/2727564 | Permissions Required, Vendor Advisory | |
| cna@sap.com | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=510922943 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/106997 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/2727564 | Permissions Required, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=510922943 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | businessobjects | 4.2 | |
| sap | businessobjects | 4.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:businessobjects:4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "07B4BCC2-3F12-4A66-AF86-1C8C2B418B69",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:businessobjects:4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7445C0BF-43DD-4A04-83AF-2DDB7C393333",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SAP BusinessObjects, versions 4.2 and 4.3, (Visual Difference) allows an attacker to upload any file (including script files) without proper file format validation."
},
{
"lang": "es",
"value": "SAP BusinessObjects, en versiones 4.2 y 4.3, (diferencia visual) permite que un atacante suba cualquier archivo (incluyendo archivos de script) sin una validaci\u00f3n del formato de archivo adecuada."
}
],
"id": "CVE-2019-0259",
"lastModified": "2024-11-21T04:16:35.717",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-02-15T18:29:01.367",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Third Party Advisory"
],
"url": "http://www.securityfocus.com/bid/106997"
},
{
"source": "cna@sap.com",
"tags": [
"Permissions Required",
"Vendor Advisory"
],
"url": "https://launchpad.support.sap.com/#/notes/2727564"
},
{
"source": "cna@sap.com",
"tags": [
"Vendor Advisory"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=510922943"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.securityfocus.com/bid/106997"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required",
"Vendor Advisory"
],
"url": "https://launchpad.support.sap.com/#/notes/2727564"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=510922943"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2010-10-18 17:00
Modified
2024-11-21 01:11
Severity ?
Summary
Apache Axis2, as used in dswsbobje.war in SAP BusinessObjects Enterprise XI 3.2, CA ARCserve D2D r15, and other products, has a default password of axis2 for the admin account, which makes it easier for remote attackers to execute arbitrary code by uploading a crafted web service.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:axis2:1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "F0CBFD09-884C-436D-8D92-88B47A130C47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:axis2:1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "E0604FFE-16AC-4990-85F6-88C48A8E1707",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:axis2:1.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "4D99CAA7-6580-4B1E-BDD7-0933F037B29D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:axis2:1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "EC2371DC-0E86-49F2-98F6-4CCE49A24183",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:axis2:1.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "38D8E446-7735-49C4-83E3-F1E6448ABD43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:axis2:1.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "89046700-F2B9-4468-AB71-3451401C16DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:axis2:1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "FEC87179-CCFA-45D4-98C1-7D594EC88999",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:businessobjects:3.2:*:enterprise_xi:*:*:*:*:*",
"matchCriteriaId": "224ED925-BF44-4C85-89B5-DC3A187AAE77",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache Axis2, as used in dswsbobje.war in SAP BusinessObjects Enterprise XI 3.2, CA ARCserve D2D r15, and other products, has a default password of axis2 for the admin account, which makes it easier for remote attackers to execute arbitrary code by uploading a crafted web service."
},
{
"lang": "es",
"value": "Axis2 de Apache, tal y como es usado en dswsbobje.war en SAP BusinessObjects Enterprise XI versi\u00f3n 3.2, CA ARCserve D2D r15 y otros productos, tiene una contrase\u00f1a por defecto de axis2 para la cuenta de administrador, lo que facilita a los atacantes remotos ejecutar c\u00f3digo arbitrario mediante la carga de un servicio web especialmente dise\u00f1ado."
}
],
"id": "CVE-2010-0219",
"lastModified": "2024-11-21T01:11:46.957",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2010-10-18T17:00:03.457",
"references": [
{
"source": "cret@cert.org",
"url": "http://retrogod.altervista.org/9sg_ca_d2d.html"
},
{
"source": "cret@cert.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/41799"
},
{
"source": "cret@cert.org",
"url": "http://secunia.com/advisories/42763"
},
{
"source": "cret@cert.org",
"tags": [
"Exploit"
],
"url": "http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf"
},
{
"source": "cret@cert.org",
"url": "http://www.exploit-db.com/exploits/15869"
},
{
"source": "cret@cert.org",
"tags": [
"US Government Resource"
],
"url": "http://www.kb.cert.org/vuls/id/989719"
},
{
"source": "cret@cert.org",
"url": "http://www.osvdb.org/70233"
},
{
"source": "cret@cert.org",
"tags": [
"Exploit"
],
"url": "http://www.rapid7.com/security-center/advisories/R7-0037.jsp"
},
{
"source": "cret@cert.org",
"url": "http://www.securityfocus.com/archive/1/514284/100/0/threaded"
},
{
"source": "cret@cert.org",
"url": "http://www.securitytracker.com/id?1024929"
},
{
"source": "cret@cert.org",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2010/2673"
},
{
"source": "cret@cert.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/62523"
},
{
"source": "cret@cert.org",
"url": "https://kb.juniper.net/KB27373"
},
{
"source": "cret@cert.org",
"tags": [
"Patch"
],
"url": "https://service.sap.com/sap/support/notes/1432881"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://retrogod.altervista.org/9sg_ca_d2d.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/41799"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/42763"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.exploit-db.com/exploits/15869"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"US Government Resource"
],
"url": "http://www.kb.cert.org/vuls/id/989719"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.osvdb.org/70233"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.rapid7.com/security-center/advisories/R7-0037.jsp"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/514284/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id?1024929"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2010/2673"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/62523"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://kb.juniper.net/KB27373"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://service.sap.com/sap/support/notes/1432881"
}
],
"sourceIdentifier": "cret@cert.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-255"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-12-17 19:59
Modified
2024-11-21 02:20
Severity ?
Summary
SAP BusinessObjects Edge 4.1 allows remote attackers to obtain the SI_PLATFORM_SEARCH_SERVER_LOGON_TOKEN token and gain privileges via a crafted CORBA call, aka SAP Note 2039905.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | businessobjects | 4.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:businessobjects:4.1:*:*:*:edge:*:*:*",
"matchCriteriaId": "9BB3233A-AF03-4B66-B558-00E2CDA9849F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SAP BusinessObjects Edge 4.1 allows remote attackers to obtain the SI_PLATFORM_SEARCH_SERVER_LOGON_TOKEN token and gain privileges via a crafted CORBA call, aka SAP Note 2039905."
},
{
"lang": "es",
"value": "SAP BusinessObjects Edge 4.1 permite a atacantes remotos obtener la token SI_PLATFORM_SEARCH_SERVER_LOGON_TOKEN y obtener privilegios a trav\u00e9s de una llamada CORBA manipulada, tambi\u00e9n conocido como SAP Note 2039905."
}
],
"id": "CVE-2014-9387",
"lastModified": "2024-11-21T02:20:45.217",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": true,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-12-17T19:59:07.527",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://seclists.org/fulldisclosure/2014/Dec/60"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://www.onapsis.com/research/security-advisories/sap-business-objects-search-token-privilege-escalation-via-corba"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/534249/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://seclists.org/fulldisclosure/2014/Dec/60"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.onapsis.com/research/security-advisories/sap-business-objects-search-token-privilege-escalation-via-corba"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/534249/100/0/threaded"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-09-12 03:15
Modified
2024-11-21 08:19
Severity ?
6.2 (Medium) - CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:H
7.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
7.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Summary
SAP BusinessObjects Suite Installer - version 420, 430, allows an attacker within the network to create a directory under temporary directory and link it to a directory with operating system files. On successful exploitation the attacker can delete all the operating system files causing a limited impact on integrity and completely compromising the availability of the system.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://me.sap.com/notes/3317702 | Permissions Required | |
| cna@sap.com | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://me.sap.com/notes/3317702 | Permissions Required | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | businessobjects | 420 | |
| sap | businessobjects | 430 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:businessobjects:420:*:*:*:-:*:*:*",
"matchCriteriaId": "1937280E-4E75-4D85-A0B6-7AF4A5BEB8D3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:businessobjects:430:*:*:*:-:*:*:*",
"matchCriteriaId": "1DFDC013-B6C9-4F90-B5DA-8CEB9972759D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SAP BusinessObjects Suite\u00a0Installer - version 420, 430, allows an attacker within the network to create a directory under temporary directory and link it to a directory with operating system files. On successful exploitation the attacker can delete all the operating system files causing a limited impact on integrity and completely compromising the availability of the system.\n\n"
},
{
"lang": "es",
"value": "SAP BusinessObjects Suite Installer - versi\u00f3n 420, 430, permite a un atacante dentro de la red crear un directorio en un directorio temporal y vincularlo a un directorio con archivos del sistema operativo. En la explotaci\u00f3n exitosa, el atacante puede eliminar todos los archivos del sistema operativo causando un impacto limitado en la integridad y comprometiendo completamente la disponibilidad del sistema."
}
],
"id": "CVE-2023-40623",
"lastModified": "2024-11-21T08:19:50.587",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:H",
"version": "3.1"
},
"exploitabilityScore": 0.9,
"impactScore": 4.7,
"source": "cna@sap.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 4.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-09-12T03:15:13.003",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Permissions Required"
],
"url": "https://me.sap.com/notes/3317702"
},
{
"source": "cna@sap.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required"
],
"url": "https://me.sap.com/notes/3317702"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1386"
}
],
"source": "cna@sap.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-05-14 21:29
Modified
2024-11-21 04:16
Severity ?
Summary
Under certain conditions SAP BusinessObjects Business Intelligence platform (Analysis for OLAP), versions 4.2 and 4.3, allows an attacker to access information which would otherwise be restricted.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://launchpad.support.sap.com/#/notes/2738796 | Permissions Required, Vendor Advisory | |
| cna@sap.com | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=520259032 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/2738796 | Permissions Required, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=520259032 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | businessobjects | 4.2 | |
| sap | businessobjects | 4.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:businessobjects:4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "07B4BCC2-3F12-4A66-AF86-1C8C2B418B69",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:businessobjects:4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7445C0BF-43DD-4A04-83AF-2DDB7C393333",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Under certain conditions SAP BusinessObjects Business Intelligence platform (Analysis for OLAP), versions 4.2 and 4.3, allows an attacker to access information which would otherwise be restricted."
},
{
"lang": "es",
"value": "Bajo ciertas condiciones, la plataforma SAP BusinessObjects Business Intelligence (Analysis for OLAP), versiones 4.2 y 4.3, permite que un atacante acceda a informaci\u00f3n que, de lo contrario, ser\u00eda restringida."
}
],
"id": "CVE-2019-0289",
"lastModified": "2024-11-21T04:16:38.600",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 4.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-05-14T21:29:00.637",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Permissions Required",
"Vendor Advisory"
],
"url": "https://launchpad.support.sap.com/#/notes/2738796"
},
{
"source": "cna@sap.com",
"tags": [
"Vendor Advisory"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=520259032"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required",
"Vendor Advisory"
],
"url": "https://launchpad.support.sap.com/#/notes/2738796"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=520259032"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-12-12 14:29
Modified
2024-11-21 03:16
Severity ?
Summary
Denial of Service (DOS) in SAP Business Objects Platform, Enterprise 4.10 and 4.20, that could allow an attacker to prevent legitimate users from accessing a service.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | http://www.securityfocus.com/bid/102146 | Third Party Advisory, VDB Entry | |
| cna@sap.com | https://blogs.sap.com/2017/12/12/sap-security-patch-day-december-2017/ | Vendor Advisory | |
| cna@sap.com | https://launchpad.support.sap.com/#/notes/2531656 | Permissions Required | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/102146 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blogs.sap.com/2017/12/12/sap-security-patch-day-december-2017/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/2531656 | Permissions Required |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | businessobjects | 4.10 | |
| sap | businessobjects | 4.20 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:businessobjects:4.10:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "7ADB0FE4-5D58-48A6-AD46-313BC180D286",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:businessobjects:4.20:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "5F12136F-1B99-4008-BB16-0BD933B09A28",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Denial of Service (DOS) in SAP Business Objects Platform, Enterprise 4.10 and 4.20, that could allow an attacker to prevent legitimate users from accessing a service."
},
{
"lang": "es",
"value": "Denegaci\u00f3n de servicio (DoS) en SAP Business Objects Platform, Enterprise 4.10 y 4.20, que podr\u00eda permitir que un atacante evite que usuarios leg\u00edtimos accedan a un servicio."
}
],
"id": "CVE-2017-16683",
"lastModified": "2024-11-21T03:16:49.110",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-12-12T14:29:00.437",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/102146"
},
{
"source": "cna@sap.com",
"tags": [
"Vendor Advisory"
],
"url": "https://blogs.sap.com/2017/12/12/sap-security-patch-day-december-2017/"
},
{
"source": "cna@sap.com",
"tags": [
"Permissions Required"
],
"url": "https://launchpad.support.sap.com/#/notes/2531656"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/102146"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://blogs.sap.com/2017/12/12/sap-security-patch-day-december-2017/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required"
],
"url": "https://launchpad.support.sap.com/#/notes/2531656"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-10-16 19:55
Modified
2024-11-21 02:18
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the Send to Inbox functionality in SAP BusinessObjects BI EDGE 4.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | businessobjects | 4.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:businessobjects:4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "71F0E7EB-FCFE-48AD-B8C3-5D411DF6BA07",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Send to Inbox functionality in SAP BusinessObjects BI EDGE 4.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors."
},
{
"lang": "es",
"value": "Vulnerabilidad de XSS en la funcionalidad Send to Inbox en SAP BusinessObjects BI EDGE 4.0 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s de vectores sin especificar."
}
],
"id": "CVE-2014-8308",
"lastModified": "2024-11-21T02:18:48.937",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2014-10-16T19:55:19.753",
"references": [
{
"source": "cve@mitre.org",
"url": "http://packetstormsecurity.com/files/128602/SAP-BusinessObjects-Persistent-Cross-Site-Scripting.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://scn.sap.com/docs/DOC-8218"
},
{
"source": "cve@mitre.org",
"url": "http://seclists.org/fulldisclosure/2014/Oct/41"
},
{
"source": "cve@mitre.org",
"url": "http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-032"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/533649/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/70290"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/96873"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://service.sap.com/sap/support/notes/1941562"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://packetstormsecurity.com/files/128602/SAP-BusinessObjects-Persistent-Cross-Site-Scripting.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://scn.sap.com/docs/DOC-8218"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/fulldisclosure/2014/Oct/41"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-032"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/533649/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/70290"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/96873"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://service.sap.com/sap/support/notes/1941562"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-10-16 19:55
Modified
2024-11-21 02:18
Severity ?
Summary
The CMS CORBA listener in SAP BusinessObjects BI Edge 4.0 allows remote attackers to cause a denial of service (server shutdown) via crafted OSCAFactory::Session ORB message.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | businessobjects | 4.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:businessobjects:4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "71F0E7EB-FCFE-48AD-B8C3-5D411DF6BA07",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The CMS CORBA listener in SAP BusinessObjects BI Edge 4.0 allows remote attackers to cause a denial of service (server shutdown) via crafted OSCAFactory::Session ORB message."
},
{
"lang": "es",
"value": "El servicio de escucha CMS CORBA en SAP BusinessObjects BI Edge 4.0 permite a atacantes remotos provocar una denegaci\u00f3n de servicio (apagado del servidor) a trav\u00e9s de un mensaje OSCAFactory::Session ORB manipulado."
}
],
"id": "CVE-2014-8310",
"lastModified": "2024-11-21T02:18:50.163",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 7.1,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-10-16T19:55:19.880",
"references": [
{
"source": "cve@mitre.org",
"url": "http://packetstormsecurity.com/files/128600/SAP-Business-Objects-Denial-Of-Service-Via-CORBA.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://scn.sap.com/docs/DOC-8218"
},
{
"source": "cve@mitre.org",
"url": "http://seclists.org/fulldisclosure/2014/Oct/40"
},
{
"source": "cve@mitre.org",
"url": "http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-030"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/533646/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/70308"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/96875"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://service.sap.com/sap/support/notes/2001106"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://packetstormsecurity.com/files/128600/SAP-Business-Objects-Denial-Of-Service-Via-CORBA.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://scn.sap.com/docs/DOC-8218"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/fulldisclosure/2014/Oct/40"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-030"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/533646/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/70308"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/96875"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://service.sap.com/sap/support/notes/2001106"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2010-10-18 17:00
Modified
2024-11-21 01:20
Severity ?
Summary
Dswsbobje in SAP BusinessObjects Enterprise XI 3.2 generates different error messages depending on whether the Login field corresponds to a valid username, which allows remote attackers to enumerate account names via a login SOAPAction to the dswsbobje/services/session URI.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | businessobjects | 3.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:businessobjects:3.2:*:enterprise_xi:*:*:*:*:*",
"matchCriteriaId": "224ED925-BF44-4C85-89B5-DC3A187AAE77",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Dswsbobje in SAP BusinessObjects Enterprise XI 3.2 generates different error messages depending on whether the Login field corresponds to a valid username, which allows remote attackers to enumerate account names via a login SOAPAction to the dswsbobje/services/session URI."
},
{
"lang": "es",
"value": "Dswsbobje en SAP BusinessObjects Enterprise XI v3.2 genera mensajes de error diferentes dependiendo de si el campo Login corresponde a un nombre de usuario v\u00e1lido, lo que permite a usuarios remotos enumerar los nombres de cuentas de usuario a trav\u00e9s de una SOAPAction login a la URI dswsbobje/services/session."
}
],
"id": "CVE-2010-3979",
"lastModified": "2024-11-21T01:20:00.387",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2010-10-18T17:00:04.097",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2010-10-18 17:00
Modified
2024-11-21 01:20
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in SAP BusinessObjects Enterprise XI 3.2 allows remote attackers to inject arbitrary web script or HTML via the ServiceClass field to the Edit Service Parameters page.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | businessobjects | 3.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:businessobjects:3.2:*:enterprise_xi:*:*:*:*:*",
"matchCriteriaId": "224ED925-BF44-4C85-89B5-DC3A187AAE77",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in SAP BusinessObjects Enterprise XI 3.2 allows remote attackers to inject arbitrary web script or HTML via the ServiceClass field to the Edit Service Parameters page."
},
{
"lang": "es",
"value": "Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en SAP BusinessObjects Enterprise XI v3.2 permite a atacantes remotos inyectar codigo de script web o c\u00f3digo HTML de su elecci\u00f3n a trav\u00e9s del campo ServiceClass de la p\u00e1gina \"Edit Service Parameters\" (edici\u00f3n de par\u00e1metros de servicio)."
}
],
"id": "CVE-2010-3981",
"lastModified": "2024-11-21T01:20:00.657",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2010-10-18T17:00:04.173",
"references": [
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/68680"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/68680"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2010-10-18 17:00
Modified
2024-11-21 01:20
Severity ?
Summary
SAP BusinessObjects Enterprise XI 3.2 allows remote attackers to trigger TCP connections to arbitrary intranet hosts on any port, and obtain potentially sensitive information about open ports, via the apstoken parameter to the CrystalReports/viewrpt.cwr URI, related to an "internal port scanning" issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | businessobjects | 3.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:businessobjects:3.2:*:enterprise_xi:*:*:*:*:*",
"matchCriteriaId": "224ED925-BF44-4C85-89B5-DC3A187AAE77",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SAP BusinessObjects Enterprise XI 3.2 allows remote attackers to trigger TCP connections to arbitrary intranet hosts on any port, and obtain potentially sensitive information about open ports, via the apstoken parameter to the CrystalReports/viewrpt.cwr URI, related to an \"internal port scanning\" issue."
},
{
"lang": "es",
"value": "SAP BusinessObjects Enterprise XI 3.2 permite a atacantes remotos realizar conexiones TCP a equipos arbitrarios de la intranet en cualquier puerto, y obtener informaci\u00f3n potencialmente confidencial sobre los puertos abiertos, a trav\u00e9s del par\u00e1metro apstoken de la URI CrystalReports/viewrpt.cwr. Relacionado con un problema de \"escaneo de puertos interno\"."
}
],
"id": "CVE-2010-3982",
"lastModified": "2024-11-21T01:20:00.797",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2010-10-18T17:00:04.220",
"references": [
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/68681"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/62682"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/68681"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/62682"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-06-14 19:29
Modified
2024-11-21 04:16
Severity ?
Summary
SAP BusinessObjects Business Intelligence Platform (Administration Console), versions 4.2, 4.3, module BILogon/appService.jsp is reflecting requested parameter errMsg into response content without sanitation. This could be used by an attacker to build a special url that execute custom JavaScript code when the url is accessed.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://launchpad.support.sap.com/#/notes/2637997 | Permissions Required, Vendor Advisory | |
| cna@sap.com | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=521864242 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/2637997 | Permissions Required, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=521864242 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | businessobjects | 4.2 | |
| sap | businessobjects | 4.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:businessobjects:4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "07B4BCC2-3F12-4A66-AF86-1C8C2B418B69",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:businessobjects:4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7445C0BF-43DD-4A04-83AF-2DDB7C393333",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SAP BusinessObjects Business Intelligence Platform (Administration Console), versions 4.2, 4.3, module BILogon/appService.jsp is reflecting requested parameter errMsg into response content without sanitation. This could be used by an attacker to build a special url that execute custom JavaScript code when the url is accessed."
},
{
"lang": "es",
"value": "Business Intelligence Platform (Consola de administraci\u00f3n) de SAP BusinessObjects, versiones 4.2, 4.3, m\u00f3dulo BILogon/appService.jsp est\u00e1 reflejando el par\u00e1metro errMsg solicitado en el contenido de la respuesta sin saneamiento. Este podr\u00eda ser utilizado por un atacante para crear una URL especial que ejecute c\u00f3digo JavaScript personalizado cuando la URL sea accedida."
}
],
"id": "CVE-2019-0303",
"lastModified": "2024-11-21T04:16:39.203",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-06-14T19:29:00.277",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Permissions Required",
"Vendor Advisory"
],
"url": "https://launchpad.support.sap.com/#/notes/2637997"
},
{
"source": "cna@sap.com",
"tags": [
"Vendor Advisory"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=521864242"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required",
"Vendor Advisory"
],
"url": "https://launchpad.support.sap.com/#/notes/2637997"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=521864242"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-05-11 15:15
Modified
2024-11-21 06:56
Severity ?
Summary
During an update of SAP BusinessObjects Enterprise, Central Management Server (CMS) - versions 420, 430, authentication credentials are being exposed in Sysmon event logs. This Information Disclosure could cause a high impact on systems’ Confidentiality, Integrity, and Availability.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://launchpad.support.sap.com/#/notes/2998510 | Permissions Required, Vendor Advisory | |
| cna@sap.com | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/2998510 | Permissions Required, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | businessobjects | 420 | |
| sap | businessobjects | 430 | |
| sap | businessobjects_business_intelligence | 420 | |
| sap | businessobjects_business_intelligence | 430 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:businessobjects:420:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "402CA360-5CBB-41FD-95E5-239C3DBC3BAD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:businessobjects:430:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "85CA5F35-E406-4691-BDA9-6D467F44CE4C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:businessobjects_business_intelligence:420:*:*:*:*:*:*:*",
"matchCriteriaId": "38BA0DF9-D893-4AF9-923E-E47EA5C02C52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:businessobjects_business_intelligence:430:*:*:*:*:*:*:*",
"matchCriteriaId": "85CBCF48-5478-4EE5-8F69-6E59EFDB707D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "During an update of SAP BusinessObjects Enterprise, Central Management Server (CMS) - versions 420, 430, authentication credentials are being exposed in Sysmon event logs. This Information Disclosure could cause a high impact on systems\u2019 Confidentiality, Integrity, and Availability."
},
{
"lang": "es",
"value": "Durante una actualizaci\u00f3n de SAP BusinessObjects Enterprise, Central Management Server (CMS) - versiones 420, 430, las credenciales de autenticaci\u00f3n est\u00e1n siendo expuestas en los registros de eventos de Sysmon. Esta divulgaci\u00f3n de informaci\u00f3n podr\u00eda causar un alto impacto en la confidencialidad, integridad y disponibilidad de los sistemas"
}
],
"id": "CVE-2022-28214",
"lastModified": "2024-11-21T06:56:57.753",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.6,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-05-11T15:15:09.730",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Permissions Required",
"Vendor Advisory"
],
"url": "https://launchpad.support.sap.com/#/notes/2998510"
},
{
"source": "cna@sap.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required",
"Vendor Advisory"
],
"url": "https://launchpad.support.sap.com/#/notes/2998510"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-312"
}
],
"source": "cna@sap.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-05-14 21:29
Modified
2024-11-21 04:16
Severity ?
Summary
Under certain conditions SAP BusinessObjects Business Intelligence platform (Central Management Server), versions 4.2 and 4.3, allows an attacker to access information which would otherwise be restricted.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | http://www.securityfocus.com/bid/108316 | Third Party Advisory, VDB Entry | |
| cna@sap.com | https://launchpad.support.sap.com/#/notes/2737278 | Permissions Required | |
| cna@sap.com | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=520259032 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/108316 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/2737278 | Permissions Required | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=520259032 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | businessobjects | 4.2 | |
| sap | businessobjects | 4.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:businessobjects:4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "07B4BCC2-3F12-4A66-AF86-1C8C2B418B69",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:businessobjects:4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7445C0BF-43DD-4A04-83AF-2DDB7C393333",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Under certain conditions SAP BusinessObjects Business Intelligence platform (Central Management Server), versions 4.2 and 4.3, allows an attacker to access information which would otherwise be restricted."
},
{
"lang": "es",
"value": "Bajo ciertas condiciones, la plataforma SAP BusinessObjects Business Intelligence (Central Management Server), versiones 4.2 y 4.3, permite a un atacante acceder a informaci\u00f3n que, de lo contrario, ser\u00eda restringida."
}
],
"id": "CVE-2019-0287",
"lastModified": "2024-11-21T04:16:38.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 4.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-05-14T21:29:00.527",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/108316"
},
{
"source": "cna@sap.com",
"tags": [
"Permissions Required"
],
"url": "https://launchpad.support.sap.com/#/notes/2737278"
},
{
"source": "cna@sap.com",
"tags": [
"Vendor Advisory"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=520259032"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/108316"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required"
],
"url": "https://launchpad.support.sap.com/#/notes/2737278"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=520259032"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-05-09 01:15
Modified
2024-11-21 07:55
Severity ?
3.7 (Low) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
SAP BusinessObjects Platform - versions 420, 430, Information design tool transmits sensitive information as cleartext in the binaries over the network. This could allow an unauthenticated attacker with deep knowledge to gain sensitive information such as user credentials and domain names, which may have a low impact on confidentiality and no impact on the integrity and availability of the system.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | businessobjects | 4.20 | |
| sap | businessobjects | 4.30 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:businessobjects:4.20:*:*:*:*:*:*:*",
"matchCriteriaId": "4B943822-5002-4FA8-81C1-2174B519E060",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:businessobjects:4.30:*:*:*:*:*:*:*",
"matchCriteriaId": "ACFEFCB6-E0BF-4D9A-837C-1FF8635EA3FB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SAP BusinessObjects Platform - versions 420, 430, Information design tool transmits sensitive information as cleartext in the binaries over the network. This could allow an unauthenticated attacker with deep knowledge to gain sensitive information such as user credentials and domain names, which may have a low impact on confidentiality and no impact on the integrity and availability of the system.\n\n"
}
],
"id": "CVE-2023-28764",
"lastModified": "2024-11-21T07:55:57.583",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 1.4,
"source": "cna@sap.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-05-09T01:15:08.863",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Broken Link"
],
"url": "https://i7p.wdf.sap.corp/sap/support/notes/3302595"
},
{
"source": "cna@sap.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "https://i7p.wdf.sap.corp/sap/support/notes/3302595"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-522"
}
],
"source": "cna@sap.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-10-16 19:55
Modified
2024-11-21 02:18
Severity ?
Summary
SAP BusinessObjects Edge 4.0 allows remote attackers to obtain sensitive information via an InfoStore query to a CORBA listener.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | businessobjects | 4.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:businessobjects:4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "71F0E7EB-FCFE-48AD-B8C3-5D411DF6BA07",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SAP BusinessObjects Edge 4.0 allows remote attackers to obtain sensitive information via an InfoStore query to a CORBA listener."
},
{
"lang": "es",
"value": "BusinessObjects Edge 4.0 permite a atacantes remotos obtener informaci\u00f3n sensible a trav\u00e9s de una petici\u00f3n InfoStore a un servicio de escucha CORBA."
}
],
"evaluatorComment": "Improper Authorization (CWE-285)",
"id": "CVE-2014-8311",
"lastModified": "2024-11-21T02:18:50.313",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-10-16T19:55:19.943",
"references": [
{
"source": "cve@mitre.org",
"url": "http://packetstormsecurity.com/files/128601/SAP-Business-Objects-Information-Disclosure-Via-CORBA.html"
},
{
"source": "cve@mitre.org",
"url": "http://seclists.org/fulldisclosure/2014/Oct/39"
},
{
"source": "cve@mitre.org",
"url": "http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-031"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/533648/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/96876"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://service.sap.com/sap/support/notes/1998990"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://packetstormsecurity.com/files/128601/SAP-Business-Objects-Information-Disclosure-Via-CORBA.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/fulldisclosure/2014/Oct/39"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-031"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/533648/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/96876"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://service.sap.com/sap/support/notes/1998990"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-10-16 19:55
Modified
2024-11-21 02:18
Severity ?
Summary
SAP BusinessObjects 4.0 and BusinessObjects XI (BOXI) R2 and 3.1 generates error messages for a failed logon attempt with different time delays depending on whether the user account exists, which allows remote attackers to enumerate valid usernames via SecEnterprise authentication requests to the Session web service.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | businessobjects | 4.0 | |
| sap | businessobjects_xi | 3.1 | |
| sap | businessobjects_xi | r2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:businessobjects:4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "71F0E7EB-FCFE-48AD-B8C3-5D411DF6BA07",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:businessobjects_xi:3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BF32F47A-26FB-4D10-B53F-31C408DB428B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:businessobjects_xi:r2:*:*:*:*:*:*:*",
"matchCriteriaId": "C0B5D84F-9D6D-42B2-AD49-14177ACBD51D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SAP BusinessObjects 4.0 and BusinessObjects XI (BOXI) R2 and 3.1 generates error messages for a failed logon attempt with different time delays depending on whether the user account exists, which allows remote attackers to enumerate valid usernames via SecEnterprise authentication requests to the Session web service."
},
{
"lang": "es",
"value": "SAP BusinessObjects 4.0 y BusinessObjects XI (BOXI) R2 y 3.1 generan mensajes de error tras un intento de inicio de sesi\u00f3n fallido con diferente tiempo de retraso dependiendo de si la cuenta de usuario existe o no, lo que permite a atacantes remotos enumerar nombres de usuario v\u00e1lidos a trav\u00e9s de peticiones de autenticaci\u00f3n SecEnterprise al servicio web Session."
}
],
"id": "CVE-2014-8309",
"lastModified": "2024-11-21T02:18:49.967",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-10-16T19:55:19.817",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://scn.sap.com/docs/DOC-8218"
},
{
"source": "cve@mitre.org",
"url": "http://seclists.org/fulldisclosure/2014/Oct/42"
},
{
"source": "cve@mitre.org",
"url": "http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-029"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/533647/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/70304"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/96874"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://service.sap.com/sap/support/notes/2001109"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://scn.sap.com/docs/DOC-8218"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/fulldisclosure/2014/Oct/42"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-029"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/533647/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/70304"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/96874"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://service.sap.com/sap/support/notes/2001109"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-04-30 14:22
Modified
2024-11-21 02:07
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the InfoView application in SAP BusinessObjects allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | businessobjects | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:businessobjects:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A62538AA-31CE-47EC-B81B-3C140512CD98",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the InfoView application in SAP BusinessObjects allows remote attackers to inject arbitrary web script or HTML via unspecified vectors."
},
{
"lang": "es",
"value": "Vulnerabilidad de XSS en la aplicaci\u00f3n InfoView en SAP BusinessObjects permite a atacantes remotos inyectar script Web o HTML arbitrarios a trav\u00e9s de vectores no especificados."
}
],
"id": "CVE-2014-3134",
"lastModified": "2024-11-21T02:07:31.027",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2014-04-30T14:22:07.377",
"references": [
{
"source": "cve@mitre.org",
"url": "http://scn.sap.com/docs/DOC-8218"
},
{
"source": "cve@mitre.org",
"url": "http://seclists.org/fulldisclosure/2014/Apr/303"
},
{
"source": "cve@mitre.org",
"url": "http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-010"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/67110"
},
{
"source": "cve@mitre.org",
"url": "https://service.sap.com/sap/support/notes/1931399"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://scn.sap.com/docs/DOC-8218"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/fulldisclosure/2014/Apr/303"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-010"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/67110"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://service.sap.com/sap/support/notes/1931399"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2010-10-18 17:00
Modified
2024-11-21 01:20
Severity ?
Summary
Dswsbobje in SAP BusinessObjects Enterprise XI 3.2 does not limit the number of CUIDs that may be requested, which allows remote authenticated users to cause a denial of service via a large numCuids value in a GenerateCuids SOAPAction to the dswsbobje/services/biplatform URI.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | businessobjects | 3.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:businessobjects:3.2:*:enterprise_xi:*:*:*:*:*",
"matchCriteriaId": "224ED925-BF44-4C85-89B5-DC3A187AAE77",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Dswsbobje in SAP BusinessObjects Enterprise XI 3.2 does not limit the number of CUIDs that may be requested, which allows remote authenticated users to cause a denial of service via a large numCuids value in a GenerateCuids SOAPAction to the dswsbobje/services/biplatform URI."
},
{
"lang": "es",
"value": "Dswsbobje en SAP BusinessObjects Enterprise XI v3.2 no limita el n\u00famero de CUIDs que pueden ser solicitados, lo que permite a usuarios remotos autenticados provocar una denegaci\u00f3n de servicio a trav\u00e9s de valores numCuids extensos de una SOAPAction GenerateCuids de la URI dswsbobje/services/biplatform URI."
}
],
"id": "CVE-2010-3980",
"lastModified": "2024-11-21T01:20:00.517",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2010-10-18T17:00:04.143",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2015-10-15 20:59
Modified
2024-11-21 02:37
Severity ?
Summary
SAP BusinessObjects BI Platform 4.1, BusinessObjects Edge 4.0, and BusinessObjects XI (BOXI) 3.1 R3 allow remote attackers to cause a denial of service (out-of-bounds read and listener crash) via a crafted GIOP packet, aka SAP Security Note 2001108.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | businessobjects | 4.1 | |
| sap | businessobjects_edge | 4.0 | |
| sap | businessobjects_xi | 3.1 | |
| sap | businessobjects_xi | r3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:businessobjects:4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BC362E4E-0549-4F9A-8FEE-302D7B4E0396",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:businessobjects_edge:4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "37294BF8-A978-4054-9F65-AA465DDA9E8B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:businessobjects_xi:3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BF32F47A-26FB-4D10-B53F-31C408DB428B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:businessobjects_xi:r3:*:*:*:*:*:*:*",
"matchCriteriaId": "848C70CA-A8CD-458D-ADEA-4F95D6596959",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SAP BusinessObjects BI Platform 4.1, BusinessObjects Edge 4.0, and BusinessObjects XI (BOXI) 3.1 R3 allow remote attackers to cause a denial of service (out-of-bounds read and listener crash) via a crafted GIOP packet, aka SAP Security Note 2001108."
},
{
"lang": "es",
"value": "SAP BusinessObjects BI Platform 4.1, BusinessObjects Edge 4.0 y BusinessObjects XI (BOXI) 3.1 R3 permite a atacantes remotos causar una denegaci\u00f3n de servicio (lectura fuera de limite y ca\u00edda del receptor) a trav\u00e9s de un paquete GIOP manipulado, tambi\u00e9n conocido como SAP Security Note 2001108."
}
],
"id": "CVE-2015-7730",
"lastModified": "2024-11-21T02:37:18.463",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2015-10-15T20:59:08.020",
"references": [
{
"source": "cve@mitre.org",
"url": "http://seclists.org/fulldisclosure/2015/Sep/81"
},
{
"source": "cve@mitre.org",
"url": "http://www.securitytracker.com/id/1033637"
},
{
"source": "cve@mitre.org",
"url": "https://www.onapsis.com/blog/analyzing-sap-security-notes-may-2015-edition"
},
{
"source": "cve@mitre.org",
"url": "https://www.onapsis.com/research/security-advisories/SAP-Business-Objects-Memory-Corruption"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/fulldisclosure/2015/Sep/81"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id/1033637"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.onapsis.com/blog/analyzing-sap-security-notes-may-2015-edition"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.onapsis.com/research/security-advisories/SAP-Business-Objects-Memory-Corruption"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-119"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
cve-2014-8309
Vulnerability from cvelistv5
Published
2014-10-16 19:00
Modified
2024-08-06 13:10
Severity ?
EPSS score ?
Summary
SAP BusinessObjects 4.0 and BusinessObjects XI (BOXI) R2 and 3.1 generates error messages for a failed logon attempt with different time delays depending on whether the user account exists, which allows remote attackers to enumerate valid usernames via SecEnterprise authentication requests to the Session web service.
References
| ▼ | URL | Tags |
|---|---|---|
| https://service.sap.com/sap/support/notes/2001109 | x_refsource_CONFIRM | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/96874 | vdb-entry, x_refsource_XF | |
| http://www.securityfocus.com/archive/1/533647/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://seclists.org/fulldisclosure/2014/Oct/42 | mailing-list, x_refsource_FULLDISC | |
| http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-029 | x_refsource_MISC | |
| http://scn.sap.com/docs/DOC-8218 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/70304 | vdb-entry, x_refsource_BID |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T13:10:51.142Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://service.sap.com/sap/support/notes/2001109"
},
{
"name": "sap-businessobjects-timing-info-disc(96874)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/96874"
},
{
"name": "20141008 [Onapsis Security Advisory 2014-029] SAP Business Objects Information Disclosure",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/533647/100/0/threaded"
},
{
"name": "20141008 [Onapsis Security Advisory 2014-029] SAP Business Objects Information Disclosure",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2014/Oct/42"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-029"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://scn.sap.com/docs/DOC-8218"
},
{
"name": "70304",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/70304"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-10-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SAP BusinessObjects 4.0 and BusinessObjects XI (BOXI) R2 and 3.1 generates error messages for a failed logon attempt with different time delays depending on whether the user account exists, which allows remote attackers to enumerate valid usernames via SecEnterprise authentication requests to the Session web service."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://service.sap.com/sap/support/notes/2001109"
},
{
"name": "sap-businessobjects-timing-info-disc(96874)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/96874"
},
{
"name": "20141008 [Onapsis Security Advisory 2014-029] SAP Business Objects Information Disclosure",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/533647/100/0/threaded"
},
{
"name": "20141008 [Onapsis Security Advisory 2014-029] SAP Business Objects Information Disclosure",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2014/Oct/42"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-029"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://scn.sap.com/docs/DOC-8218"
},
{
"name": "70304",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/70304"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-8309",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SAP BusinessObjects 4.0 and BusinessObjects XI (BOXI) R2 and 3.1 generates error messages for a failed logon attempt with different time delays depending on whether the user account exists, which allows remote attackers to enumerate valid usernames via SecEnterprise authentication requests to the Session web service."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://service.sap.com/sap/support/notes/2001109",
"refsource": "CONFIRM",
"url": "https://service.sap.com/sap/support/notes/2001109"
},
{
"name": "sap-businessobjects-timing-info-disc(96874)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/96874"
},
{
"name": "20141008 [Onapsis Security Advisory 2014-029] SAP Business Objects Information Disclosure",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/533647/100/0/threaded"
},
{
"name": "20141008 [Onapsis Security Advisory 2014-029] SAP Business Objects Information Disclosure",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2014/Oct/42"
},
{
"name": "http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-029",
"refsource": "MISC",
"url": "http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-029"
},
{
"name": "http://scn.sap.com/docs/DOC-8218",
"refsource": "CONFIRM",
"url": "http://scn.sap.com/docs/DOC-8218"
},
{
"name": "70304",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/70304"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-8309",
"datePublished": "2014-10-16T19:00:00",
"dateReserved": "2014-10-16T00:00:00",
"dateUpdated": "2024-08-06T13:10:51.142Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2014-8311
Vulnerability from cvelistv5
Published
2014-10-16 19:00
Modified
2024-08-06 13:10
Severity ?
EPSS score ?
Summary
SAP BusinessObjects Edge 4.0 allows remote attackers to obtain sensitive information via an InfoStore query to a CORBA listener.
References
| ▼ | URL | Tags |
|---|---|---|
| https://exchange.xforce.ibmcloud.com/vulnerabilities/96876 | vdb-entry, x_refsource_XF | |
| http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-031 | x_refsource_MISC | |
| http://www.securityfocus.com/archive/1/533648/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://seclists.org/fulldisclosure/2014/Oct/39 | mailing-list, x_refsource_FULLDISC | |
| https://service.sap.com/sap/support/notes/1998990 | x_refsource_CONFIRM | |
| http://packetstormsecurity.com/files/128601/SAP-Business-Objects-Information-Disclosure-Via-CORBA.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T13:10:51.033Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "sap-businessobjects-corba-info-disc(96876)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/96876"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-031"
},
{
"name": "20141008 [Onapsis Security Advisory 2014-031] SAP Business Objects Information Disclosure via CORBA",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/533648/100/0/threaded"
},
{
"name": "20141008 [Onapsis Security Advisory 2014-031] SAP Business Objects Information Disclosure via CORBA",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2014/Oct/39"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://service.sap.com/sap/support/notes/1998990"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/128601/SAP-Business-Objects-Information-Disclosure-Via-CORBA.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-10-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SAP BusinessObjects Edge 4.0 allows remote attackers to obtain sensitive information via an InfoStore query to a CORBA listener."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "sap-businessobjects-corba-info-disc(96876)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/96876"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-031"
},
{
"name": "20141008 [Onapsis Security Advisory 2014-031] SAP Business Objects Information Disclosure via CORBA",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/533648/100/0/threaded"
},
{
"name": "20141008 [Onapsis Security Advisory 2014-031] SAP Business Objects Information Disclosure via CORBA",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2014/Oct/39"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://service.sap.com/sap/support/notes/1998990"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/128601/SAP-Business-Objects-Information-Disclosure-Via-CORBA.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-8311",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SAP BusinessObjects Edge 4.0 allows remote attackers to obtain sensitive information via an InfoStore query to a CORBA listener."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "sap-businessobjects-corba-info-disc(96876)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/96876"
},
{
"name": "http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-031",
"refsource": "MISC",
"url": "http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-031"
},
{
"name": "20141008 [Onapsis Security Advisory 2014-031] SAP Business Objects Information Disclosure via CORBA",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/533648/100/0/threaded"
},
{
"name": "20141008 [Onapsis Security Advisory 2014-031] SAP Business Objects Information Disclosure via CORBA",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2014/Oct/39"
},
{
"name": "https://service.sap.com/sap/support/notes/1998990",
"refsource": "CONFIRM",
"url": "https://service.sap.com/sap/support/notes/1998990"
},
{
"name": "http://packetstormsecurity.com/files/128601/SAP-Business-Objects-Information-Disclosure-Via-CORBA.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/128601/SAP-Business-Objects-Information-Disclosure-Via-CORBA.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-8311",
"datePublished": "2014-10-16T19:00:00",
"dateReserved": "2014-10-16T00:00:00",
"dateUpdated": "2024-08-06T13:10:51.033Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2010-0219
Vulnerability from cvelistv5
Published
2010-10-18 16:00
Modified
2024-08-07 00:45
Severity ?
EPSS score ?
Summary
Apache Axis2, as used in dswsbobje.war in SAP BusinessObjects Enterprise XI 3.2, CA ARCserve D2D r15, and other products, has a default password of axis2 for the admin account, which makes it easier for remote attackers to execute arbitrary code by uploading a crafted web service.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T00:45:10.633Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "41799",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/41799"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://kb.juniper.net/KB27373"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://retrogod.altervista.org/9sg_ca_d2d.html"
},
{
"name": "70233",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/70233"
},
{
"name": "15869",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/15869"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf"
},
{
"name": "ADV-2010-2673",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2010/2673"
},
{
"name": "20101014 R7-0037: SAP BusinessObjects Axis2 Default Admin Password",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/514284/100/0/threaded"
},
{
"name": "businessobjects-dswsbobje-security-bypass(62523)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/62523"
},
{
"name": "42763",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/42763"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.rapid7.com/security-center/advisories/R7-0037.jsp"
},
{
"name": "VU#989719",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN",
"x_transferred"
],
"url": "http://www.kb.cert.org/vuls/id/989719"
},
{
"name": "1024929",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id?1024929"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://service.sap.com/sap/support/notes/1432881"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2010-10-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Apache Axis2, as used in dswsbobje.war in SAP BusinessObjects Enterprise XI 3.2, CA ARCserve D2D r15, and other products, has a default password of axis2 for the admin account, which makes it easier for remote attackers to execute arbitrary code by uploading a crafted web service."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-10T18:57:01",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"name": "41799",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/41799"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://kb.juniper.net/KB27373"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://retrogod.altervista.org/9sg_ca_d2d.html"
},
{
"name": "70233",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/70233"
},
{
"name": "15869",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/15869"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf"
},
{
"name": "ADV-2010-2673",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2010/2673"
},
{
"name": "20101014 R7-0037: SAP BusinessObjects Axis2 Default Admin Password",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/514284/100/0/threaded"
},
{
"name": "businessobjects-dswsbobje-security-bypass(62523)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/62523"
},
{
"name": "42763",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/42763"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.rapid7.com/security-center/advisories/R7-0037.jsp"
},
{
"name": "VU#989719",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN"
],
"url": "http://www.kb.cert.org/vuls/id/989719"
},
{
"name": "1024929",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id?1024929"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://service.sap.com/sap/support/notes/1432881"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cert@cert.org",
"ID": "CVE-2010-0219",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Axis2, as used in dswsbobje.war in SAP BusinessObjects Enterprise XI 3.2, CA ARCserve D2D r15, and other products, has a default password of axis2 for the admin account, which makes it easier for remote attackers to execute arbitrary code by uploading a crafted web service."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "41799",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/41799"
},
{
"name": "https://kb.juniper.net/KB27373",
"refsource": "CONFIRM",
"url": "https://kb.juniper.net/KB27373"
},
{
"name": "http://retrogod.altervista.org/9sg_ca_d2d.html",
"refsource": "MISC",
"url": "http://retrogod.altervista.org/9sg_ca_d2d.html"
},
{
"name": "70233",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/70233"
},
{
"name": "15869",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/15869"
},
{
"name": "http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf",
"refsource": "MISC",
"url": "http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf"
},
{
"name": "ADV-2010-2673",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2010/2673"
},
{
"name": "20101014 R7-0037: SAP BusinessObjects Axis2 Default Admin Password",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/514284/100/0/threaded"
},
{
"name": "businessobjects-dswsbobje-security-bypass(62523)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/62523"
},
{
"name": "42763",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/42763"
},
{
"name": "http://www.rapid7.com/security-center/advisories/R7-0037.jsp",
"refsource": "MISC",
"url": "http://www.rapid7.com/security-center/advisories/R7-0037.jsp"
},
{
"name": "VU#989719",
"refsource": "CERT-VN",
"url": "http://www.kb.cert.org/vuls/id/989719"
},
{
"name": "1024929",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id?1024929"
},
{
"name": "https://service.sap.com/sap/support/notes/1432881",
"refsource": "MISC",
"url": "https://service.sap.com/sap/support/notes/1432881"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2010-0219",
"datePublished": "2010-10-18T16:00:00",
"dateReserved": "2010-01-06T00:00:00",
"dateUpdated": "2024-08-07T00:45:10.633Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-0251
Vulnerability from cvelistv5
Published
2019-02-15 18:00
Modified
2024-08-04 17:44
Severity ?
EPSS score ?
Summary
The Fiori Launchpad of SAP BusinessObjects, before versions 4.2 and 4.3, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=510922943 | x_refsource_MISC | |
| http://www.securityfocus.com/bid/106993 | vdb-entry, x_refsource_BID | |
| https://launchpad.support.sap.com/#/notes/2638175 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP BusinessObjects Business Intelligence Platform (Fiori Launchpad) |
Version: < 4.2 Version: < 4.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:44:16.593Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=510922943"
},
{
"name": "106993",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/106993"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/2638175"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP BusinessObjects Business Intelligence Platform (Fiori Launchpad)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 4.2"
},
{
"status": "affected",
"version": "\u003c 4.3"
}
]
}
],
"datePublic": "2019-02-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The Fiori Launchpad of SAP BusinessObjects, before versions 4.2 and 4.3, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-02-16T10:57:01",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=510922943"
},
{
"name": "106993",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/106993"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.support.sap.com/#/notes/2638175"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2019-0251",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP BusinessObjects Business Intelligence Platform (Fiori Launchpad)",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "4.2"
},
{
"version_name": "\u003c",
"version_value": "4.3"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Fiori Launchpad of SAP BusinessObjects, before versions 4.2 and 4.3, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=510922943",
"refsource": "MISC",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=510922943"
},
{
"name": "106993",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/106993"
},
{
"name": "https://launchpad.support.sap.com/#/notes/2638175",
"refsource": "MISC",
"url": "https://launchpad.support.sap.com/#/notes/2638175"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2019-0251",
"datePublished": "2019-02-15T18:00:00",
"dateReserved": "2018-11-26T00:00:00",
"dateUpdated": "2024-08-04T17:44:16.593Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2014-3134
Vulnerability from cvelistv5
Published
2014-04-30 14:00
Modified
2024-08-06 10:35
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in the InfoView application in SAP BusinessObjects allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
References
| ▼ | URL | Tags |
|---|---|---|
| https://service.sap.com/sap/support/notes/1931399 | x_refsource_CONFIRM | |
| http://seclists.org/fulldisclosure/2014/Apr/303 | mailing-list, x_refsource_FULLDISC | |
| http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-010 | x_refsource_MISC | |
| http://www.securityfocus.com/bid/67110 | vdb-entry, x_refsource_BID | |
| http://scn.sap.com/docs/DOC-8218 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T10:35:56.693Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://service.sap.com/sap/support/notes/1931399"
},
{
"name": "20140428 [Onapsis Security Advisory 2014-010] SAP BusinessObjects InfoView Reflected Cross Site Scripting",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2014/Apr/303"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-010"
},
{
"name": "67110",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/67110"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://scn.sap.com/docs/DOC-8218"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-04-28T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the InfoView application in SAP BusinessObjects allows remote attackers to inject arbitrary web script or HTML via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-05-05T16:57:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://service.sap.com/sap/support/notes/1931399"
},
{
"name": "20140428 [Onapsis Security Advisory 2014-010] SAP BusinessObjects InfoView Reflected Cross Site Scripting",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2014/Apr/303"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-010"
},
{
"name": "67110",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/67110"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://scn.sap.com/docs/DOC-8218"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-3134",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the InfoView application in SAP BusinessObjects allows remote attackers to inject arbitrary web script or HTML via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://service.sap.com/sap/support/notes/1931399",
"refsource": "CONFIRM",
"url": "https://service.sap.com/sap/support/notes/1931399"
},
{
"name": "20140428 [Onapsis Security Advisory 2014-010] SAP BusinessObjects InfoView Reflected Cross Site Scripting",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2014/Apr/303"
},
{
"name": "http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-010",
"refsource": "MISC",
"url": "http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-010"
},
{
"name": "67110",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/67110"
},
{
"name": "http://scn.sap.com/docs/DOC-8218",
"refsource": "CONFIRM",
"url": "http://scn.sap.com/docs/DOC-8218"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-3134",
"datePublished": "2014-04-30T14:00:00",
"dateReserved": "2014-04-30T00:00:00",
"dateUpdated": "2024-08-06T10:35:56.693Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2015-7730
Vulnerability from cvelistv5
Published
2015-10-15 20:00
Modified
2024-08-06 07:58
Severity ?
EPSS score ?
Summary
SAP BusinessObjects BI Platform 4.1, BusinessObjects Edge 4.0, and BusinessObjects XI (BOXI) 3.1 R3 allow remote attackers to cause a denial of service (out-of-bounds read and listener crash) via a crafted GIOP packet, aka SAP Security Note 2001108.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.onapsis.com/research/security-advisories/SAP-Business-Objects-Memory-Corruption | x_refsource_MISC | |
| https://www.onapsis.com/blog/analyzing-sap-security-notes-may-2015-edition | x_refsource_MISC | |
| http://www.securitytracker.com/id/1033637 | vdb-entry, x_refsource_SECTRACK | |
| http://seclists.org/fulldisclosure/2015/Sep/81 | mailing-list, x_refsource_FULLDISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T07:58:59.953Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.onapsis.com/research/security-advisories/SAP-Business-Objects-Memory-Corruption"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.onapsis.com/blog/analyzing-sap-security-notes-may-2015-edition"
},
{
"name": "1033637",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1033637"
},
{
"name": "20150922 [Onapsis Security Advisory 2015-013] SAP Business Objects Memory Corruption",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2015/Sep/81"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-09-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SAP BusinessObjects BI Platform 4.1, BusinessObjects Edge 4.0, and BusinessObjects XI (BOXI) 3.1 R3 allow remote attackers to cause a denial of service (out-of-bounds read and listener crash) via a crafted GIOP packet, aka SAP Security Note 2001108."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2015-10-15T19:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.onapsis.com/research/security-advisories/SAP-Business-Objects-Memory-Corruption"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.onapsis.com/blog/analyzing-sap-security-notes-may-2015-edition"
},
{
"name": "1033637",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1033637"
},
{
"name": "20150922 [Onapsis Security Advisory 2015-013] SAP Business Objects Memory Corruption",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2015/Sep/81"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-7730",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SAP BusinessObjects BI Platform 4.1, BusinessObjects Edge 4.0, and BusinessObjects XI (BOXI) 3.1 R3 allow remote attackers to cause a denial of service (out-of-bounds read and listener crash) via a crafted GIOP packet, aka SAP Security Note 2001108."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.onapsis.com/research/security-advisories/SAP-Business-Objects-Memory-Corruption",
"refsource": "MISC",
"url": "https://www.onapsis.com/research/security-advisories/SAP-Business-Objects-Memory-Corruption"
},
{
"name": "https://www.onapsis.com/blog/analyzing-sap-security-notes-may-2015-edition",
"refsource": "MISC",
"url": "https://www.onapsis.com/blog/analyzing-sap-security-notes-may-2015-edition"
},
{
"name": "1033637",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1033637"
},
{
"name": "20150922 [Onapsis Security Advisory 2015-013] SAP Business Objects Memory Corruption",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2015/Sep/81"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-7730",
"datePublished": "2015-10-15T20:00:00",
"dateReserved": "2015-10-06T00:00:00",
"dateUpdated": "2024-08-06T07:58:59.953Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2010-3981
Vulnerability from cvelistv5
Published
2010-10-18 16:00
Modified
2024-08-07 03:26
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in SAP BusinessObjects Enterprise XI 3.2 allows remote attackers to inject arbitrary web script or HTML via the ServiceClass field to the Edit Service Parameters page.
References
| ▼ | URL | Tags |
|---|---|---|
| http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf | x_refsource_MISC | |
| http://osvdb.org/68680 | vdb-entry, x_refsource_OSVDB |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T03:26:12.276Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf"
},
{
"name": "68680",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/68680"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2010-09-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in SAP BusinessObjects Enterprise XI 3.2 allows remote attackers to inject arbitrary web script or HTML via the ServiceClass field to the Edit Service Parameters page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2010-11-03T09:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf"
},
{
"name": "68680",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/68680"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2010-3981",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in SAP BusinessObjects Enterprise XI 3.2 allows remote attackers to inject arbitrary web script or HTML via the ServiceClass field to the Edit Service Parameters page."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf",
"refsource": "MISC",
"url": "http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf"
},
{
"name": "68680",
"refsource": "OSVDB",
"url": "http://osvdb.org/68680"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2010-3981",
"datePublished": "2010-10-18T16:00:00",
"dateReserved": "2010-10-18T00:00:00",
"dateUpdated": "2024-08-07T03:26:12.276Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2010-3982
Vulnerability from cvelistv5
Published
2010-10-18 16:00
Modified
2024-08-07 03:26
Severity ?
EPSS score ?
Summary
SAP BusinessObjects Enterprise XI 3.2 allows remote attackers to trigger TCP connections to arbitrary intranet hosts on any port, and obtain potentially sensitive information about open ports, via the apstoken parameter to the CrystalReports/viewrpt.cwr URI, related to an "internal port scanning" issue.
References
| ▼ | URL | Tags |
|---|---|---|
| http://osvdb.org/68681 | vdb-entry, x_refsource_OSVDB | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/62682 | vdb-entry, x_refsource_XF | |
| http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T03:26:12.334Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "68681",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/68681"
},
{
"name": "businessobject-intranet-hosts-info-disc(62682)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/62682"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2010-09-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SAP BusinessObjects Enterprise XI 3.2 allows remote attackers to trigger TCP connections to arbitrary intranet hosts on any port, and obtain potentially sensitive information about open ports, via the apstoken parameter to the CrystalReports/viewrpt.cwr URI, related to an \"internal port scanning\" issue."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-16T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "68681",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/68681"
},
{
"name": "businessobject-intranet-hosts-info-disc(62682)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/62682"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2010-3982",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SAP BusinessObjects Enterprise XI 3.2 allows remote attackers to trigger TCP connections to arbitrary intranet hosts on any port, and obtain potentially sensitive information about open ports, via the apstoken parameter to the CrystalReports/viewrpt.cwr URI, related to an \"internal port scanning\" issue."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "68681",
"refsource": "OSVDB",
"url": "http://osvdb.org/68681"
},
{
"name": "businessobject-intranet-hosts-info-disc(62682)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/62682"
},
{
"name": "http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf",
"refsource": "MISC",
"url": "http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2010-3982",
"datePublished": "2010-10-18T16:00:00",
"dateReserved": "2010-10-18T00:00:00",
"dateUpdated": "2024-08-07T03:26:12.334Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-0259
Vulnerability from cvelistv5
Published
2019-02-15 18:00
Modified
2024-08-04 17:44
Severity ?
EPSS score ?
Summary
SAP BusinessObjects, versions 4.2 and 4.3, (Visual Difference) allows an attacker to upload any file (including script files) without proper file format validation.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/106997 | vdb-entry, x_refsource_BID | |
| https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=510922943 | x_refsource_MISC | |
| https://launchpad.support.sap.com/#/notes/2727564 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP BusinessObjects Business Intelligence Platform Servers (Enterprise) |
Version: < 4.2 Version: < 4.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:44:16.377Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "106997",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/106997"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=510922943"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/2727564"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP BusinessObjects Business Intelligence Platform Servers (Enterprise)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 4.2"
},
{
"status": "affected",
"version": "\u003c 4.3"
}
]
}
],
"datePublic": "2019-02-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SAP BusinessObjects, versions 4.2 and 4.3, (Visual Difference) allows an attacker to upload any file (including script files) without proper file format validation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Unrestricted File Upload",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-02-16T10:57:01",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"name": "106997",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/106997"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=510922943"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.support.sap.com/#/notes/2727564"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2019-0259",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP BusinessObjects Business Intelligence Platform Servers (Enterprise)",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "4.2"
},
{
"version_name": "\u003c",
"version_value": "4.3"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SAP BusinessObjects, versions 4.2 and 4.3, (Visual Difference) allows an attacker to upload any file (including script files) without proper file format validation."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Unrestricted File Upload"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "106997",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/106997"
},
{
"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=510922943",
"refsource": "MISC",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=510922943"
},
{
"name": "https://launchpad.support.sap.com/#/notes/2727564",
"refsource": "MISC",
"url": "https://launchpad.support.sap.com/#/notes/2727564"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2019-0259",
"datePublished": "2019-02-15T18:00:00",
"dateReserved": "2018-11-26T00:00:00",
"dateUpdated": "2024-08-04T17:44:16.377Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2010-3980
Vulnerability from cvelistv5
Published
2010-10-18 16:00
Modified
2024-09-17 03:59
Severity ?
EPSS score ?
Summary
Dswsbobje in SAP BusinessObjects Enterprise XI 3.2 does not limit the number of CUIDs that may be requested, which allows remote authenticated users to cause a denial of service via a large numCuids value in a GenerateCuids SOAPAction to the dswsbobje/services/biplatform URI.
References
| ▼ | URL | Tags |
|---|---|---|
| http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T03:26:12.198Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Dswsbobje in SAP BusinessObjects Enterprise XI 3.2 does not limit the number of CUIDs that may be requested, which allows remote authenticated users to cause a denial of service via a large numCuids value in a GenerateCuids SOAPAction to the dswsbobje/services/biplatform URI."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2010-10-18T16:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2010-3980",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Dswsbobje in SAP BusinessObjects Enterprise XI 3.2 does not limit the number of CUIDs that may be requested, which allows remote authenticated users to cause a denial of service via a large numCuids value in a GenerateCuids SOAPAction to the dswsbobje/services/biplatform URI."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf",
"refsource": "MISC",
"url": "http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2010-3980",
"datePublished": "2010-10-18T16:00:00Z",
"dateReserved": "2010-10-18T00:00:00Z",
"dateUpdated": "2024-09-17T03:59:59.698Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2014-9387
Vulnerability from cvelistv5
Published
2014-12-17 19:00
Modified
2024-08-06 13:40
Severity ?
EPSS score ?
Summary
SAP BusinessObjects Edge 4.1 allows remote attackers to obtain the SI_PLATFORM_SEARCH_SERVER_LOGON_TOKEN token and gain privileges via a crafted CORBA call, aka SAP Note 2039905.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.onapsis.com/research/security-advisories/sap-business-objects-search-token-privilege-escalation-via-corba | x_refsource_MISC | |
| http://seclists.org/fulldisclosure/2014/Dec/60 | mailing-list, x_refsource_FULLDISC | |
| http://www.securityfocus.com/archive/1/534249/100/0/threaded | mailing-list, x_refsource_BUGTRAQ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T13:40:25.234Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.onapsis.com/research/security-advisories/sap-business-objects-search-token-privilege-escalation-via-corba"
},
{
"name": "20141216 [Onapsis Security Advisory 2014-034] SAP Business Objects Search Token Privilege Escalation via CORBA",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2014/Dec/60"
},
{
"name": "20141216 [Onapsis Security Advisory 2014-034] SAP Business Objects Search Token Privilege Escalation via CORBA",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/534249/100/0/threaded"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-12-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SAP BusinessObjects Edge 4.1 allows remote attackers to obtain the SI_PLATFORM_SEARCH_SERVER_LOGON_TOKEN token and gain privileges via a crafted CORBA call, aka SAP Note 2039905."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.onapsis.com/research/security-advisories/sap-business-objects-search-token-privilege-escalation-via-corba"
},
{
"name": "20141216 [Onapsis Security Advisory 2014-034] SAP Business Objects Search Token Privilege Escalation via CORBA",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2014/Dec/60"
},
{
"name": "20141216 [Onapsis Security Advisory 2014-034] SAP Business Objects Search Token Privilege Escalation via CORBA",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/534249/100/0/threaded"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-9387",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SAP BusinessObjects Edge 4.1 allows remote attackers to obtain the SI_PLATFORM_SEARCH_SERVER_LOGON_TOKEN token and gain privileges via a crafted CORBA call, aka SAP Note 2039905."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.onapsis.com/research/security-advisories/sap-business-objects-search-token-privilege-escalation-via-corba",
"refsource": "MISC",
"url": "http://www.onapsis.com/research/security-advisories/sap-business-objects-search-token-privilege-escalation-via-corba"
},
{
"name": "20141216 [Onapsis Security Advisory 2014-034] SAP Business Objects Search Token Privilege Escalation via CORBA",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2014/Dec/60"
},
{
"name": "20141216 [Onapsis Security Advisory 2014-034] SAP Business Objects Search Token Privilege Escalation via CORBA",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/534249/100/0/threaded"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-9387",
"datePublished": "2014-12-17T19:00:00",
"dateReserved": "2014-12-17T00:00:00",
"dateUpdated": "2024-08-06T13:40:25.234Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-0289
Vulnerability from cvelistv5
Published
2019-05-14 20:20
Modified
2024-08-04 17:44
Severity ?
EPSS score ?
Summary
Under certain conditions SAP BusinessObjects Business Intelligence platform (Analysis for OLAP), versions 4.2 and 4.3, allows an attacker to access information which would otherwise be restricted.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=520259032 | x_refsource_MISC | |
| https://launchpad.support.sap.com/#/notes/2738796 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP BusinessObjects Business Intelligence platform |
Version: < 4.2 Version: < 4.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:44:16.424Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=520259032"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/2738796"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP BusinessObjects Business Intelligence platform",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 4.2"
},
{
"status": "affected",
"version": "\u003c 4.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Under certain conditions SAP BusinessObjects Business Intelligence platform (Analysis for OLAP), versions 4.2 and 4.3, allows an attacker to access information which would otherwise be restricted."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-05-14T20:20:44",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=520259032"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.support.sap.com/#/notes/2738796"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2019-0289",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP BusinessObjects Business Intelligence platform",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "4.2"
},
{
"version_name": "\u003c",
"version_value": "4.3"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Under certain conditions SAP BusinessObjects Business Intelligence platform (Analysis for OLAP), versions 4.2 and 4.3, allows an attacker to access information which would otherwise be restricted."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=520259032",
"refsource": "MISC",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=520259032"
},
{
"name": "https://launchpad.support.sap.com/#/notes/2738796",
"refsource": "MISC",
"url": "https://launchpad.support.sap.com/#/notes/2738796"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2019-0289",
"datePublished": "2019-05-14T20:20:44",
"dateReserved": "2018-11-26T00:00:00",
"dateUpdated": "2024-08-04T17:44:16.424Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2014-8310
Vulnerability from cvelistv5
Published
2014-10-16 19:00
Modified
2024-08-06 13:10
Severity ?
EPSS score ?
Summary
The CMS CORBA listener in SAP BusinessObjects BI Edge 4.0 allows remote attackers to cause a denial of service (server shutdown) via crafted OSCAFactory::Session ORB message.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/70308 | vdb-entry, x_refsource_BID | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/96875 | vdb-entry, x_refsource_XF | |
| http://seclists.org/fulldisclosure/2014/Oct/40 | mailing-list, x_refsource_FULLDISC | |
| http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-030 | x_refsource_MISC | |
| http://www.securityfocus.com/archive/1/533646/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://scn.sap.com/docs/DOC-8218 | x_refsource_CONFIRM | |
| https://service.sap.com/sap/support/notes/2001106 | x_refsource_CONFIRM | |
| http://packetstormsecurity.com/files/128600/SAP-Business-Objects-Denial-Of-Service-Via-CORBA.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T13:10:51.045Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "70308",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/70308"
},
{
"name": "sap-businessobjects-corba-dos(96875)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/96875"
},
{
"name": "20141008 [Onapsis Security Advisory 2014-030] SAP Business Objects Denial of Service via CORBA",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2014/Oct/40"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-030"
},
{
"name": "20141008 [Onapsis Security Advisory 2014-030] SAP Business Objects Denial of Service via CORBA",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/533646/100/0/threaded"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://scn.sap.com/docs/DOC-8218"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://service.sap.com/sap/support/notes/2001106"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/128600/SAP-Business-Objects-Denial-Of-Service-Via-CORBA.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-10-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The CMS CORBA listener in SAP BusinessObjects BI Edge 4.0 allows remote attackers to cause a denial of service (server shutdown) via crafted OSCAFactory::Session ORB message."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "70308",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/70308"
},
{
"name": "sap-businessobjects-corba-dos(96875)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/96875"
},
{
"name": "20141008 [Onapsis Security Advisory 2014-030] SAP Business Objects Denial of Service via CORBA",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2014/Oct/40"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-030"
},
{
"name": "20141008 [Onapsis Security Advisory 2014-030] SAP Business Objects Denial of Service via CORBA",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/533646/100/0/threaded"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://scn.sap.com/docs/DOC-8218"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://service.sap.com/sap/support/notes/2001106"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/128600/SAP-Business-Objects-Denial-Of-Service-Via-CORBA.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-8310",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The CMS CORBA listener in SAP BusinessObjects BI Edge 4.0 allows remote attackers to cause a denial of service (server shutdown) via crafted OSCAFactory::Session ORB message."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "70308",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/70308"
},
{
"name": "sap-businessobjects-corba-dos(96875)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/96875"
},
{
"name": "20141008 [Onapsis Security Advisory 2014-030] SAP Business Objects Denial of Service via CORBA",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2014/Oct/40"
},
{
"name": "http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-030",
"refsource": "MISC",
"url": "http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-030"
},
{
"name": "20141008 [Onapsis Security Advisory 2014-030] SAP Business Objects Denial of Service via CORBA",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/533646/100/0/threaded"
},
{
"name": "http://scn.sap.com/docs/DOC-8218",
"refsource": "CONFIRM",
"url": "http://scn.sap.com/docs/DOC-8218"
},
{
"name": "https://service.sap.com/sap/support/notes/2001106",
"refsource": "CONFIRM",
"url": "https://service.sap.com/sap/support/notes/2001106"
},
{
"name": "http://packetstormsecurity.com/files/128600/SAP-Business-Objects-Denial-Of-Service-Via-CORBA.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/128600/SAP-Business-Objects-Denial-Of-Service-Via-CORBA.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-8310",
"datePublished": "2014-10-16T19:00:00",
"dateReserved": "2014-10-16T00:00:00",
"dateUpdated": "2024-08-06T13:10:51.045Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-0303
Vulnerability from cvelistv5
Published
2019-06-14 18:50
Modified
2024-08-04 17:44
Severity ?
EPSS score ?
Summary
SAP BusinessObjects Business Intelligence Platform (Administration Console), versions 4.2, 4.3, module BILogon/appService.jsp is reflecting requested parameter errMsg into response content without sanitation. This could be used by an attacker to build a special url that execute custom JavaScript code when the url is accessed.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=521864242 | x_refsource_MISC | |
| https://launchpad.support.sap.com/#/notes/2637997 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP BusinessObjects Business Intelligence Platform (Administration Console) |
Version: < 4.2 Version: < 4.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:44:16.390Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=521864242"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/2637997"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP BusinessObjects Business Intelligence Platform (Administration Console)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 4.2"
},
{
"status": "affected",
"version": "\u003c 4.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SAP BusinessObjects Business Intelligence Platform (Administration Console), versions 4.2, 4.3, module BILogon/appService.jsp is reflecting requested parameter errMsg into response content without sanitation. This could be used by an attacker to build a special url that execute custom JavaScript code when the url is accessed."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross Site Scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-14T18:50:18",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=521864242"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.support.sap.com/#/notes/2637997"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2019-0303",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP BusinessObjects Business Intelligence Platform (Administration Console)",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "4.2"
},
{
"version_name": "\u003c",
"version_value": "4.3"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SAP BusinessObjects Business Intelligence Platform (Administration Console), versions 4.2, 4.3, module BILogon/appService.jsp is reflecting requested parameter errMsg into response content without sanitation. This could be used by an attacker to build a special url that execute custom JavaScript code when the url is accessed."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross Site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=521864242",
"refsource": "MISC",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=521864242"
},
{
"name": "https://launchpad.support.sap.com/#/notes/2637997",
"refsource": "MISC",
"url": "https://launchpad.support.sap.com/#/notes/2637997"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2019-0303",
"datePublished": "2019-06-14T18:50:18",
"dateReserved": "2018-11-26T00:00:00",
"dateUpdated": "2024-08-04T17:44:16.390Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2014-8308
Vulnerability from cvelistv5
Published
2014-10-16 19:00
Modified
2024-08-06 13:10
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in the Send to Inbox functionality in SAP BusinessObjects BI EDGE 4.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
References
| ▼ | URL | Tags |
|---|---|---|
| https://service.sap.com/sap/support/notes/1941562 | x_refsource_CONFIRM | |
| http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-032 | x_refsource_MISC | |
| http://seclists.org/fulldisclosure/2014/Oct/41 | mailing-list, x_refsource_FULLDISC | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/96873 | vdb-entry, x_refsource_XF | |
| http://scn.sap.com/docs/DOC-8218 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/archive/1/533649/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://www.securityfocus.com/bid/70290 | vdb-entry, x_refsource_BID | |
| http://packetstormsecurity.com/files/128602/SAP-BusinessObjects-Persistent-Cross-Site-Scripting.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T13:10:51.141Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://service.sap.com/sap/support/notes/1941562"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-032"
},
{
"name": "20141008 [Onapsis Security Advisory 2014-032] SAP BusinessObjects Persistent Cross Site Scripting",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2014/Oct/41"
},
{
"name": "sap-businessobjects-web-page-xss(96873)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/96873"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://scn.sap.com/docs/DOC-8218"
},
{
"name": "20141008 [Onapsis Security Advisory 2014-032] SAP BusinessObjects Persistent Cross Site Scripting",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/533649/100/0/threaded"
},
{
"name": "70290",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/70290"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/128602/SAP-BusinessObjects-Persistent-Cross-Site-Scripting.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-10-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Send to Inbox functionality in SAP BusinessObjects BI EDGE 4.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://service.sap.com/sap/support/notes/1941562"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-032"
},
{
"name": "20141008 [Onapsis Security Advisory 2014-032] SAP BusinessObjects Persistent Cross Site Scripting",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2014/Oct/41"
},
{
"name": "sap-businessobjects-web-page-xss(96873)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/96873"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://scn.sap.com/docs/DOC-8218"
},
{
"name": "20141008 [Onapsis Security Advisory 2014-032] SAP BusinessObjects Persistent Cross Site Scripting",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/533649/100/0/threaded"
},
{
"name": "70290",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/70290"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/128602/SAP-BusinessObjects-Persistent-Cross-Site-Scripting.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-8308",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the Send to Inbox functionality in SAP BusinessObjects BI EDGE 4.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://service.sap.com/sap/support/notes/1941562",
"refsource": "CONFIRM",
"url": "https://service.sap.com/sap/support/notes/1941562"
},
{
"name": "http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-032",
"refsource": "MISC",
"url": "http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-032"
},
{
"name": "20141008 [Onapsis Security Advisory 2014-032] SAP BusinessObjects Persistent Cross Site Scripting",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2014/Oct/41"
},
{
"name": "sap-businessobjects-web-page-xss(96873)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/96873"
},
{
"name": "http://scn.sap.com/docs/DOC-8218",
"refsource": "CONFIRM",
"url": "http://scn.sap.com/docs/DOC-8218"
},
{
"name": "20141008 [Onapsis Security Advisory 2014-032] SAP BusinessObjects Persistent Cross Site Scripting",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/533649/100/0/threaded"
},
{
"name": "70290",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/70290"
},
{
"name": "http://packetstormsecurity.com/files/128602/SAP-BusinessObjects-Persistent-Cross-Site-Scripting.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/128602/SAP-BusinessObjects-Persistent-Cross-Site-Scripting.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-8308",
"datePublished": "2014-10-16T19:00:00",
"dateReserved": "2014-10-16T00:00:00",
"dateUpdated": "2024-08-06T13:10:51.141Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-28764
Vulnerability from cvelistv5
Published
2023-05-09 00:55
Modified
2025-01-28 18:57
Severity ?
EPSS score ?
Summary
SAP BusinessObjects Platform - versions 420, 430, Information design tool transmits sensitive information as cleartext in the binaries over the network. This could allow an unauthenticated attacker with deep knowledge to gain sensitive information such as user credentials and domain names, which may have a low impact on confidentiality and no impact on the integrity and availability of the system.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP BusinessObjects Platform |
Version: 420 Version: 430 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T13:51:37.075Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://i7p.wdf.sap.corp/sap/support/notes/3302595"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-28764",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-28T18:57:07.115258Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-28T18:57:29.954Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP BusinessObjects Platform",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "420"
},
{
"status": "affected",
"version": "430"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSAP BusinessObjects Platform - versions 420, 430, Information design tool transmits sensitive information as cleartext in the binaries over the network. This could allow an unauthenticated attacker with deep knowledge to gain sensitive information such as user credentials and domain names, which may have a low impact on confidentiality and no impact on the integrity and availability of the system.\u003c/p\u003e"
}
],
"value": "SAP BusinessObjects Platform - versions 420, 430, Information design tool transmits sensitive information as cleartext in the binaries over the network. This could allow an unauthenticated attacker with deep knowledge to gain sensitive information such as user credentials and domain names, which may have a low impact on confidentiality and no impact on the integrity and availability of the system.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522: Insufficiently Protected Credentials",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-09T00:55:04.357Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://i7p.wdf.sap.corp/sap/support/notes/3302595"
},
{
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Information Disclosure vulnerability in SAP BusinessObjects Platform",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2023-28764",
"datePublished": "2023-05-09T00:55:04.357Z",
"dateReserved": "2023-03-23T04:20:27.699Z",
"dateUpdated": "2025-01-28T18:57:29.954Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-16683
Vulnerability from cvelistv5
Published
2017-12-12 14:00
Modified
2024-09-16 22:20
Severity ?
EPSS score ?
Summary
Denial of Service (DOS) in SAP Business Objects Platform, Enterprise 4.10 and 4.20, that could allow an attacker to prevent legitimate users from accessing a service.
References
| ▼ | URL | Tags |
|---|---|---|
| https://blogs.sap.com/2017/12/12/sap-security-patch-day-december-2017/ | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/102146 | vdb-entry, x_refsource_BID | |
| https://launchpad.support.sap.com/#/notes/2531656 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP | SAP Business Objects Platform |
Version: Enterprise 4.10, 4.20 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T20:35:19.930Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://blogs.sap.com/2017/12/12/sap-security-patch-day-december-2017/"
},
{
"name": "102146",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/102146"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/2531656"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP Business Objects Platform",
"vendor": "SAP",
"versions": [
{
"status": "affected",
"version": "Enterprise 4.10, 4.20"
}
]
}
],
"datePublic": "2017-12-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Denial of Service (DOS) in SAP Business Objects Platform, Enterprise 4.10 and 4.20, that could allow an attacker to prevent legitimate users from accessing a service."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Denial of Service (DOS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-12-13T10:57:01",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://blogs.sap.com/2017/12/12/sap-security-patch-day-december-2017/"
},
{
"name": "102146",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/102146"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://launchpad.support.sap.com/#/notes/2531656"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"DATE_PUBLIC": "2017-12-12T00:00:00",
"ID": "CVE-2017-16683",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP Business Objects Platform",
"version": {
"version_data": [
{
"version_value": "Enterprise 4.10, 4.20"
}
]
}
}
]
},
"vendor_name": "SAP"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Denial of Service (DOS) in SAP Business Objects Platform, Enterprise 4.10 and 4.20, that could allow an attacker to prevent legitimate users from accessing a service."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service (DOS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blogs.sap.com/2017/12/12/sap-security-patch-day-december-2017/",
"refsource": "CONFIRM",
"url": "https://blogs.sap.com/2017/12/12/sap-security-patch-day-december-2017/"
},
{
"name": "102146",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/102146"
},
{
"name": "https://launchpad.support.sap.com/#/notes/2531656",
"refsource": "CONFIRM",
"url": "https://launchpad.support.sap.com/#/notes/2531656"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2017-16683",
"datePublished": "2017-12-12T14:00:00Z",
"dateReserved": "2017-11-09T00:00:00",
"dateUpdated": "2024-09-16T22:20:32.144Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-0287
Vulnerability from cvelistv5
Published
2019-05-14 20:20
Modified
2024-08-04 17:44
Severity ?
EPSS score ?
Summary
Under certain conditions SAP BusinessObjects Business Intelligence platform (Central Management Server), versions 4.2 and 4.3, allows an attacker to access information which would otherwise be restricted.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=520259032 | x_refsource_MISC | |
| https://launchpad.support.sap.com/#/notes/2737278 | x_refsource_MISC | |
| http://www.securityfocus.com/bid/108316 | vdb-entry, x_refsource_BID |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP BusinessObjects Business Intelligence platform (Central Management Server) |
Version: < 4.2 Version: < 4.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:44:16.324Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=520259032"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/2737278"
},
{
"name": "108316",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/108316"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP BusinessObjects Business Intelligence platform (Central Management Server)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 4.2"
},
{
"status": "affected",
"version": "\u003c 4.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Under certain conditions SAP BusinessObjects Business Intelligence platform (Central Management Server), versions 4.2 and 4.3, allows an attacker to access information which would otherwise be restricted."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-05-14T21:06:07",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=520259032"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.support.sap.com/#/notes/2737278"
},
{
"name": "108316",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/108316"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2019-0287",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP BusinessObjects Business Intelligence platform (Central Management Server)",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "4.2"
},
{
"version_name": "\u003c",
"version_value": "4.3"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Under certain conditions SAP BusinessObjects Business Intelligence platform (Central Management Server), versions 4.2 and 4.3, allows an attacker to access information which would otherwise be restricted."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=520259032",
"refsource": "MISC",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=520259032"
},
{
"name": "https://launchpad.support.sap.com/#/notes/2737278",
"refsource": "MISC",
"url": "https://launchpad.support.sap.com/#/notes/2737278"
},
{
"name": "108316",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/108316"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2019-0287",
"datePublished": "2019-05-14T20:20:27",
"dateReserved": "2018-11-26T00:00:00",
"dateUpdated": "2024-08-04T17:44:16.324Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2010-3983
Vulnerability from cvelistv5
Published
2010-10-18 16:00
Modified
2024-08-07 03:26
Severity ?
EPSS score ?
Summary
CmcApp in SAP BusinessObjects Enterprise XI 3.2 allows remote authenticated users to gain privileges via vectors involving the Program Job Server and the Program Login property.
References
| ▼ | URL | Tags |
|---|---|---|
| http://osvdb.org/68682 | vdb-entry, x_refsource_OSVDB | |
| http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T03:26:12.352Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "68682",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/68682"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2010-09-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "CmcApp in SAP BusinessObjects Enterprise XI 3.2 allows remote authenticated users to gain privileges via vectors involving the Program Job Server and the Program Login property."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2010-11-03T09:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "68682",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/68682"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2010-3983",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "CmcApp in SAP BusinessObjects Enterprise XI 3.2 allows remote authenticated users to gain privileges via vectors involving the Program Job Server and the Program Login property."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "68682",
"refsource": "OSVDB",
"url": "http://osvdb.org/68682"
},
{
"name": "http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf",
"refsource": "MISC",
"url": "http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2010-3983",
"datePublished": "2010-10-18T16:00:00",
"dateReserved": "2010-10-18T00:00:00",
"dateUpdated": "2024-08-07T03:26:12.352Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2010-3979
Vulnerability from cvelistv5
Published
2010-10-18 16:00
Modified
2024-09-17 02:07
Severity ?
EPSS score ?
Summary
Dswsbobje in SAP BusinessObjects Enterprise XI 3.2 generates different error messages depending on whether the Login field corresponds to a valid username, which allows remote attackers to enumerate account names via a login SOAPAction to the dswsbobje/services/session URI.
References
| ▼ | URL | Tags |
|---|---|---|
| http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T03:26:12.378Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Dswsbobje in SAP BusinessObjects Enterprise XI 3.2 generates different error messages depending on whether the Login field corresponds to a valid username, which allows remote attackers to enumerate account names via a login SOAPAction to the dswsbobje/services/session URI."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2010-10-18T16:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2010-3979",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Dswsbobje in SAP BusinessObjects Enterprise XI 3.2 generates different error messages depending on whether the Login field corresponds to a valid username, which allows remote attackers to enumerate account names via a login SOAPAction to the dswsbobje/services/session URI."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf",
"refsource": "MISC",
"url": "http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2010-3979",
"datePublished": "2010-10-18T16:00:00Z",
"dateReserved": "2010-10-18T00:00:00Z",
"dateUpdated": "2024-09-17T02:07:13.348Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-40623
Vulnerability from cvelistv5
Published
2023-09-12 02:02
Modified
2024-09-25 15:28
Severity ?
EPSS score ?
Summary
SAP BusinessObjects Suite Installer - version 420, 430, allows an attacker within the network to create a directory under temporary directory and link it to a directory with operating system files. On successful exploitation the attacker can delete all the operating system files causing a limited impact on integrity and completely compromising the availability of the system.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP BusinessObjects Suite (Installer) |
Version: 420 Version: 430 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:38:51.035Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://me.sap.com/notes/3317702"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-40623",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-25T15:04:33.771211Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-25T15:28:05.273Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP BusinessObjects Suite (Installer)",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "420"
},
{
"status": "affected",
"version": "430"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSAP BusinessObjects Suite\u00a0Installer - version 420, 430, allows an attacker within the network to create a directory under temporary directory and link it to a directory with operating system files. On successful exploitation the attacker can delete all the operating system files causing a limited impact on integrity and completely compromising the availability of the system.\u003c/p\u003e"
}
],
"value": "SAP BusinessObjects Suite\u00a0Installer - version 420, 430, allows an attacker within the network to create a directory under temporary directory and link it to a directory with operating system files. On successful exploitation the attacker can delete all the operating system files causing a limited impact on integrity and completely compromising the availability of the system.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1386",
"description": "CWE-1386: Insecure Operation on Windows Junction / Mount Point",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-12T02:02:38.194Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3317702"
},
{
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Arbitrary File Delete via Directory Junction in SAP BusinessObjects Suite(installer)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2023-40623",
"datePublished": "2023-09-12T02:02:38.194Z",
"dateReserved": "2023-08-17T18:10:44.966Z",
"dateUpdated": "2024-09-25T15:28:05.273Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-28214
Vulnerability from cvelistv5
Published
2022-05-11 14:54
Modified
2024-08-03 05:48
Severity ?
EPSS score ?
Summary
During an update of SAP BusinessObjects Enterprise, Central Management Server (CMS) - versions 420, 430, authentication credentials are being exposed in Sysmon event logs. This Information Disclosure could cause a high impact on systems’ Confidentiality, Integrity, and Availability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | x_refsource_MISC | |
| https://launchpad.support.sap.com/#/notes/2998510 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP BusinessObjects Enterprise (Central Management Server) |
Version: 420 Version: 430 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:48:37.497Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/2998510"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP BusinessObjects Enterprise (Central Management Server)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "420"
},
{
"status": "affected",
"version": "430"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "During an update of SAP BusinessObjects Enterprise, Central Management Server (CMS) - versions 420, 430, authentication credentials are being exposed in Sysmon event logs. This Information Disclosure could cause a high impact on systems\u2019 Confidentiality, Integrity, and Availability."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-312",
"description": "CWE-312",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-11T14:54:42",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.support.sap.com/#/notes/2998510"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2022-28214",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP BusinessObjects Enterprise (Central Management Server)",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "420"
},
{
"version_affected": "=",
"version_value": "430"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "During an update of SAP BusinessObjects Enterprise, Central Management Server (CMS) - versions 420, 430, authentication credentials are being exposed in Sysmon event logs. This Information Disclosure could cause a high impact on systems\u2019 Confidentiality, Integrity, and Availability."
}
]
},
"impact": {
"cvss": {
"baseScore": "null",
"vectorString": "null",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-312"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html",
"refsource": "MISC",
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
},
{
"name": "https://launchpad.support.sap.com/#/notes/2998510",
"refsource": "MISC",
"url": "https://launchpad.support.sap.com/#/notes/2998510"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2022-28214",
"datePublished": "2022-05-11T14:54:42",
"dateReserved": "2022-03-30T00:00:00",
"dateUpdated": "2024-08-03T05:48:37.497Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-2408
Vulnerability from cvelistv5
Published
2018-04-10 15:00
Modified
2024-08-05 04:21
Severity ?
EPSS score ?
Summary
Improper Session Management in SAP Business Objects, 4.0, from 4.10, from 4.20, 4.30, CMC/BI Launchpad/Fiorified BI Launchpad. In case of password change for a user, all other active sessions created using older password continues to be active.
References
| ▼ | URL | Tags |
|---|---|---|
| https://blogs.sap.com/2018/04/10/sap-security-patch-day-april-2018/ | x_refsource_CONFIRM | |
| https://launchpad.support.sap.com/#/notes/2537150 | x_refsource_MISC | |
| http://www.securityfocus.com/bid/103700 | vdb-entry, x_refsource_BID |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP Business Objects |
Version: 4.00 Version: from 4.10 Version: from 4.20 Version: 4.30 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T04:21:32.886Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://blogs.sap.com/2018/04/10/sap-security-patch-day-april-2018/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/2537150"
},
{
"name": "103700",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/103700"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP Business Objects",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "4.00"
},
{
"status": "affected",
"version": "from 4.10"
},
{
"status": "affected",
"version": "from 4.20"
},
{
"status": "affected",
"version": "4.30"
}
]
}
],
"datePublic": "2018-04-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Improper Session Management in SAP Business Objects, 4.0, from 4.10, from 4.20, 4.30, CMC/BI Launchpad/Fiorified BI Launchpad. In case of password change for a user, all other active sessions created using older password continues to be active."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Other",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-04-11T09:57:01",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://blogs.sap.com/2018/04/10/sap-security-patch-day-april-2018/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.support.sap.com/#/notes/2537150"
},
{
"name": "103700",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/103700"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2018-2408",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP Business Objects",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "4.00"
},
{
"version_affected": "=",
"version_value": "from 4.10"
},
{
"version_affected": "=",
"version_value": "from 4.20"
},
{
"version_affected": "=",
"version_value": "4.30"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper Session Management in SAP Business Objects, 4.0, from 4.10, from 4.20, 4.30, CMC/BI Launchpad/Fiorified BI Launchpad. In case of password change for a user, all other active sessions created using older password continues to be active."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Other"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blogs.sap.com/2018/04/10/sap-security-patch-day-april-2018/",
"refsource": "CONFIRM",
"url": "https://blogs.sap.com/2018/04/10/sap-security-patch-day-april-2018/"
},
{
"name": "https://launchpad.support.sap.com/#/notes/2537150",
"refsource": "MISC",
"url": "https://launchpad.support.sap.com/#/notes/2537150"
},
{
"name": "103700",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/103700"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2018-2408",
"datePublished": "2018-04-10T15:00:00",
"dateReserved": "2017-12-15T00:00:00",
"dateUpdated": "2024-08-05T04:21:32.886Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}