CVE-2018-2445
https://notcve.org/view.php?id=CVE-2018-2445
AdminTools in SAP BusinessObjects Business Intelligence, versions 4.1, 4.2, allows an attacker to manipulate the vulnerable application to send crafted requests on behalf of the application, resulting in a Server-Side Request Forgery (SSRF) vulnerability. AdminTools en SAP BusinessObjects Business Intelligence, en versiones 4.1 y 4.2, permite que un atacante manipule la aplicación vulnerable para enviar peticiones manipuladas en nombre de la aplicación, lo que resulta en una vulnerabilidad de SSRF (Server-Side Request Forgery). • http://www.securityfocus.com/bid/105064 https://launchpad.support.sap.com/#/notes/2630018 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=499352742 • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2018-2444
https://notcve.org/view.php?id=CVE-2018-2444
SAP BusinessObjects Financial Consolidation, versions 10.0, 10.1, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. SAP BusinessObjects Financial Consolidation 10.0 y 10.1 no cifra lo suficiente las entradas controladas por el usuario, lo que resulta en una vulnerabilidad de Cross-Site Scripting (XSS). • http://www.securityfocus.com/bid/105087 https://launchpad.support.sap.com/#/notes/2621395 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=499352742 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-2432
https://notcve.org/view.php?id=CVE-2018-2432
SAP BusinessObjects Business Intelligence (BI Launchpad and Central Management Console) versions 4.10, 4.20 and 4.30 allow an attacker to include invalidated data in the HTTP response header sent to a Web user. Successful exploitation of this vulnerability may lead to advanced attacks, including: cross-site scripting and page hijacking. SAP BusinessObjects Business Intelligence (BI Launchpad and Central Management Console) 4.10, 4.20 y 4.30 permite que un atacante incluya datos no validados en la cabecera de respuesta HTTP enviada a un usuario web. La explotación con éxito de esta vulnerabilidad podría desembocar en ataques avanzados, incluyendo Cross-Site Scripting (XSS) y el secuestro de páginas. • http://www.securityfocus.com/bid/104716 https://launchpad.support.sap.com/#/notes/2523290 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=497256000 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-2427
https://notcve.org/view.php?id=CVE-2018-2427
SAP BusinessObjects Business Intelligence Suite, versions 4.10 and 4.20, and SAP Crystal Reports (version for Visual Studio .NET, Version 2010) allows an attacker to inject code that can be executed by the application. An attacker could thereby control the behaviour of the application. SAP BusinessObjects Business Intelligence Suite, en versiones 4.10 y 4.20, y SAP Crystal Reports (versión para Visual Studio .NET, Version 2010) permite que un atacante inyecte código que puede ser ejecutado por la aplicación. Un atacante podría, por lo tanto, controlar el comportamiento de la aplicación. • http://www.securityfocus.com/bid/104715 https://launchpad.support.sap.com/#/notes/2620738 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=497256000 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2018-2431
https://notcve.org/view.php?id=CVE-2018-2431
SAP BusinessObjects Business Intelligence Suite, versions 4.10 and 4.20, does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. SAP BusinessObjects Business Intelligence Suite 4.10 y 4.20 no cifra lo suficiente las entradas controladas por el usuario, lo que resulta en una vulnerabilidad de Cross-Site Scripting (XSS). • http://www.securityfocus.com/bid/104695 https://launchpad.support.sap.com/#/notes/2624762 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=497256000 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •