CVE-2022-31598
https://notcve.org/view.php?id=CVE-2022-31598
Due to insufficient input validation, SAP Business Objects - version 420, allows an authenticated attacker to submit a malicious request through an allowed operation. On successful exploitation, an attacker can view or modify information causing a limited impact on confidentiality and integrity of the application. Debido a una insuficiente comprobación de entrada, SAP Business Objects - versión 420, permite que un atacante autenticado envíe una petición maliciosa mediante una operación permitida. En caso de una explotación con éxito, un atacante puede visualizar o modificar la información causando un impacto limitado en la confidencialidad e integridad de la aplicación • https://launchpad.support.sap.com/#/notes/3213279 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-345: Insufficient Verification of Data Authenticity •
CVE-2022-32246
https://notcve.org/view.php?id=CVE-2022-32246
SAP Busines Objects Business Intelligence Platform (Visual Difference Application) - versions 420, 430, allows an authenticated attacker who has access to BI admin console to send crafted queries and extract data from the SQL backend. On successful exploitation, the attacker can cause limited impact on confidentiality and integrity of the application SAP Busines Objects Business Intelligence Platform (Visual Difference Application) - versiones 420, 430, permite a un atacante autenticado que tenga acceso a la consola de administración de BI enviar consultas diseñadas y extraer datos del backend SQL. Si es explotado con éxito, el atacante puede causar un impacto limitado en la confidencialidad e integridad de la aplicación • https://launchpad.support.sap.com/#/notes/3203079 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2020-6220
https://notcve.org/view.php?id=CVE-2020-6220
BI Launchpad and CMC in SAP Business Objects Business Intelligence Platform, versions 4.1, 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. Exploit is possible only when the bttoken in victim’s session is active. BI Launchpad y CMC en SAP Business Objects Business Intelligence Platform, versiones 4.1, 4.2, no codifica suficientemente las entradas controladas por el usuario, resultando en una vulnerabilidad de tipo Cross-Site Scripting (XSS). La explotación sólo es posible cuando el bttoken de la sesión de la víctima está activo • https://launchpad.support.sap.com/#/notes/2878507 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-24398
https://notcve.org/view.php?id=CVE-2022-24398
Under certain conditions SAP Business Objects Business Intelligence Platform - versions 420, 430, allows an authenticated attacker to access information which would otherwise be restricted. En determinadas condiciones, SAP Business Objects Business Intelligence Platform - versiones 420, 430, permite que un atacante autenticado acceda a información que de otro modo estaría restringida • https://dam.sap.com/mac/embed/public/pdf/a/ucQrx6G.htm?rc=10 https://launchpad.support.sap.com/#/notes/3103424 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •