CVE-2023-42478 – Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform
https://notcve.org/view.php?id=CVE-2023-42478
SAP Business Objects Business Intelligence Platform is vulnerable to stored XSS allowing an attacker to upload agnostic documents in the system which when opened by any other user could lead to high impact on integrity of the application. SAP Business Objects Business Intelligence Platform es vulnerable al XSS almacenado, lo que permite a un atacante cargar documentos independientes en el sistema que, cuando los abre cualquier otro usuario, podrían tener un alto impacto en la integridad de la aplicación. • https://me.sap.com/notes/3382353 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-25617 – OS Command Execution vulnerability in SAP Business Objects Business Intelligence Platform (Adaptive Job Server)
https://notcve.org/view.php?id=CVE-2023-25617
SAP Business Object (Adaptive Job Server) - versions 420, 430, allows remote execution of arbitrary commands on Unix, when program objects execution is enabled, to authenticated users with scheduling rights, using the BI Launchpad, Central Management Console or a custom application based on the public java SDK. Programs could impact the confidentiality, integrity and availability of the system. • https://launchpad.support.sap.com/#/notes/3283438 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2023-25616 – Code Injection vulnerability in SAP Business Objects Business Intelligence Platform (CMC)
https://notcve.org/view.php?id=CVE-2023-25616
In some scenario, SAP Business Objects Business Intelligence Platform (CMC) - versions 420, 430, Program Object execution can lead to code injection vulnerability which could allow an attacker to gain access to resources that are allowed by extra privileges. Successful attack could highly impact the confidentiality, Integrity, and Availability of the system. • https://launchpad.support.sap.com/#/notes/3245526 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVE-2023-23856
https://notcve.org/view.php?id=CVE-2023-23856
In SAP BusinessObjects Business Intelligence (Web Intelligence user interface) - version 430, some calls return json with wrong content type in the header of the response. As a result, a custom application that calls directly the jsp of Web Intelligence DHTML may be vulnerable to XSS attacks. On successful exploitation an attacker can cause a low impact on integrity of the application. • https://launchpad.support.sap.com/#/notes/3263863 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-0015 – Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence (Web Intelligence)
https://notcve.org/view.php?id=CVE-2023-0015
In SAP BusinessObjects Business Intelligence Platform (Web Intelligence user interface) - version 420, some calls return json with wrong content type in the header of the response. As a result, a custom application that calls directly the jsp of Web Intelligence DHTML may be vulnerable to XSS attacks. On successful exploitation an attacker can cause limited impact on confidentiality and integrity of the application. • https://launchpad.support.sap.com/#/notes/3251447 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •