CVE-2018-2445
https://notcve.org/view.php?id=CVE-2018-2445
AdminTools in SAP BusinessObjects Business Intelligence, versions 4.1, 4.2, allows an attacker to manipulate the vulnerable application to send crafted requests on behalf of the application, resulting in a Server-Side Request Forgery (SSRF) vulnerability. AdminTools en SAP BusinessObjects Business Intelligence, en versiones 4.1 y 4.2, permite que un atacante manipule la aplicación vulnerable para enviar peticiones manipuladas en nombre de la aplicación, lo que resulta en una vulnerabilidad de SSRF (Server-Side Request Forgery). • http://www.securityfocus.com/bid/105064 https://launchpad.support.sap.com/#/notes/2630018 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=499352742 • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2018-2447
https://notcve.org/view.php?id=CVE-2018-2447
SAP BusinessObjects Business Intelligence (Launchpad Web Intelligence), version 4.2, allows an attacker to execute crafted InfoObject queries, exposing the CMS InfoObjects database. SAP BusinessObjects Business Intelligence (Launchpad Web Intelligence), versión 4.2, permite que un atacante ejecute consultas InfoObject manipuladas, exponiendo la base de datos CMS InfoObjects. • http://www.securityfocus.com/bid/105075 https://launchpad.support.sap.com/#/notes/2644154 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=499352742 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2018-2432
https://notcve.org/view.php?id=CVE-2018-2432
SAP BusinessObjects Business Intelligence (BI Launchpad and Central Management Console) versions 4.10, 4.20 and 4.30 allow an attacker to include invalidated data in the HTTP response header sent to a Web user. Successful exploitation of this vulnerability may lead to advanced attacks, including: cross-site scripting and page hijacking. SAP BusinessObjects Business Intelligence (BI Launchpad and Central Management Console) 4.10, 4.20 y 4.30 permite que un atacante incluya datos no validados en la cabecera de respuesta HTTP enviada a un usuario web. La explotación con éxito de esta vulnerabilidad podría desembocar en ataques avanzados, incluyendo Cross-Site Scripting (XSS) y el secuestro de páginas. • http://www.securityfocus.com/bid/104716 https://launchpad.support.sap.com/#/notes/2523290 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=497256000 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •