CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-37489 – Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Version Management System)
https://notcve.org/view.php?id=CVE-2023-37489
Due to the lack of validation, SAP BusinessObjects Business Intelligence Platform (Version Management System) - version 403, permits an unauthenticated user to read the code snippet through the UI, which leads to low impact on confidentiality and no impact on the application's availability or integrity. Debido a la falta de validación, SAP BusinessObjects Business Intelligence Platform (Version Management System) - versión 403, permite que un usuario no autenticado lea el fragmento de código a través de la interfaz de usuario, lo que conduce a un bajo impacto en la confidencialidad y ningún impacto en la disponibilidad o integridad de la aplicación. • https://me.sap.com/notes/3352453 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2023-37490 – Binary hijack in SAP BusinessObjects Business Intelligence (Installer)
https://notcve.org/view.php?id=CVE-2023-37490
SAP Business Objects Installer - versions 420, 430, allows an authenticated attacker within the network to overwrite an executable file created in a temporary directory during the installation process. On replacing this executable with a malicious file, an attacker can completely compromise the confidentiality, integrity, and availability of the system • https://me.sap.com/notes/3317710 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-427: Uncontrolled Search Path Element •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2023-36917 – Password Change rate limit bypass in SAP BusinessObjects Business Intelligence Platform
https://notcve.org/view.php?id=CVE-2023-36917
SAP BusinessObjects Business Intelligence Platform - version 420, 430, allows an unauthorized attacker who had hijacked a user session, to be able to bypass the victim’s old password via brute force, due to unrestricted rate limit for password change functionality. Although the attack has no impact on integrity loss or system availability, this could lead to an attacker to completely takeover a victim’s account. • https://me.sap.com/notes/3320702 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2023-31406 – Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform
https://notcve.org/view.php?id=CVE-2023-31406
Due to insufficient input validation, SAP BusinessObjects Business Intelligence Platform - versions 420, 430, allows an unauthenticated attacker to redirect users to untrusted site using a malicious link. On successful exploitation, an attacker can view or modify information causing a limited impact on confidentiality and integrity of the application. • https://launchpad.support.sap.com/#/notes/3319400 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.0EPSS: 0%CPEs: 2EXPL: 0CVE-2023-31404 – Information Disclosure in SAP BusinessObjects Business Intelligence Platform (Central Management Service)
https://notcve.org/view.php?id=CVE-2023-31404
Under certain conditions, SAP BusinessObjects Business Intelligence Platform (Central Management Service) - versions 420, 430, allows an attacker to access information which would otherwise be restricted. Some users with specific privileges could have access to credentials of other users. It could let them access data sources which would otherwise be restricted. • https://launchpad.support.sap.com/#/notes/3038911 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •