CVE-2019-0374
https://notcve.org/view.php?id=CVE-2019-0374
SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), before versions 4.2 and 4.3, does not sufficiently encode user-controlled inputs and allows execution of scripts in the chart title resulting in reflected Cross-Site Scripting SAP BusinessObjects Business Intelligence Platform (interfaz Web Intelligence HTML), versiones anteriores a 4.2 y 4.3, no codifica suficientemente las entradas controladas por el usuario y permite la ejecución de scripts en el título del gráfico, resultando en una vulnerabilidad de tipo Cross-Site Scripting reflejado. • https://launchpad.support.sap.com/#/notes/2817945 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=528123050 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-2442
https://notcve.org/view.php?id=CVE-2018-2442
In SAP BusinessObjects Business Intelligence, versions 4.0, 4.1 and 4.2, while viewing a Web Intelligence report from BI Launchpad, the user session details captured by an HTTP analysis tool could be reused in a HTML page while the user session is still valid. En SAP BusinessObjects Business Intelligence, en versiones 4.0, 4.1 y 4.2, mientras se visualiza un informe Web Intelligence del BI Launchpad, los detalles de la sesión de usuario capturados por una herramienta de análisis HTTP podrían reutilizarse en una página HTML mientras la sesión de usuario sigue siendo válida. • http://www.securityfocus.com/bid/105078 https://launchpad.support.sap.com/#/notes/2407193 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=499352742 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2018-2408
https://notcve.org/view.php?id=CVE-2018-2408
Improper Session Management in SAP Business Objects, 4.0, from 4.10, from 4.20, 4.30, CMC/BI Launchpad/Fiorified BI Launchpad. In case of password change for a user, all other active sessions created using older password continues to be active. Gestión incorrecta de sesión en SAP Business Objects, en su versión 4.0, desde la versión 4.20, 4.30, en CMC/BI Launchpad/Fiorified BI Launchpad. En el caso de que se cambie la contraseña de un usuario, el resto de sesiones activas creadas con la contraseña antigua seguirán estando activas. • http://www.securityfocus.com/bid/103700 https://blogs.sap.com/2018/04/10/sap-security-patch-day-april-2018 https://launchpad.support.sap.com/#/notes/2537150 • CWE-384: Session Fixation •
CVE-2015-7730
https://notcve.org/view.php?id=CVE-2015-7730
SAP BusinessObjects BI Platform 4.1, BusinessObjects Edge 4.0, and BusinessObjects XI (BOXI) 3.1 R3 allow remote attackers to cause a denial of service (out-of-bounds read and listener crash) via a crafted GIOP packet, aka SAP Security Note 2001108. SAP BusinessObjects BI Platform 4.1, BusinessObjects Edge 4.0 y BusinessObjects XI (BOXI) 3.1 R3 permite a atacantes remotos causar una denegación de servicio (lectura fuera de limite y caída del receptor) a través de un paquete GIOP manipulado, también conocido como SAP Security Note 2001108. • http://seclists.org/fulldisclosure/2015/Sep/81 http://www.securitytracker.com/id/1033637 https://www.onapsis.com/blog/analyzing-sap-security-notes-may-2015-edition https://www.onapsis.com/research/security-advisories/SAP-Business-Objects-Memory-Corruption • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2015-2076
https://notcve.org/view.php?id=CVE-2015-2076
The Auditing service in SAP BusinessObjects Edge 4.0 allows remote attackers to obtain sensitive information by reading an audit event, aka SAP Note 2011395. El servicio Auditing en SAP BusinessObjects Edge 4.0 permite a atacantes remotos obtener información sensible leyendo un evento de auditoría, vulnerabilidad también conocida como SAP Note 2011395. • http://packetstormsecurity.com/files/130523/SAP-Business-Objects-Unauthorized-Audit-Information-Access.html http://seclists.org/fulldisclosure/2015/Feb/94 http://www.securityfocus.com/archive/1/534750/100/0/threaded http://www.securityfocus.com/bid/72775 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •