CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-35228
https://notcve.org/view.php?id=CVE-2022-35228
12 Jul 2022 — SAP BusinessObjects CMC allows an unauthenticated attacker to retrieve token information over the network which would otherwise be restricted. This can be achieved only when a legitimate user accesses the application and a local compromise occurs, like sniffing or social engineering. On successful exploitation, the attacker can completely compromise the application. SAP BusinessObjects CMC permite a un atacante no autenticado recuperar información de tokens a través de la red que, de otro modo, estaría rest... • https://launchpad.support.sap.com/#/notes/3221288 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-35169
https://notcve.org/view.php?id=CVE-2022-35169
12 Jul 2022 — SAP BusinessObjects Business Intelligence Platform (LCM) - versions 420, 430, allows an attacker with an admin privilege to read and decrypt LCMBIAR file's password under certain conditions, enabling the attacker to modify the password or import the file into another system causing high impact on confidentiality but a limited impact on the availability and integrity of the application. SAP BusinessObjects Business Intelligence Platform (LCM) - versiones 420, 430, permite a un atacante con un privilegio de a... • https://launchpad.support.sap.com/#/notes/3194361 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-29619
https://notcve.org/view.php?id=CVE-2022-29619
12 Jul 2022 — Under certain conditions SAP BusinessObjects Business Intelligence Platform 4.x - versions 420,430 allows user Administrator to view, edit or modify rights of objects it doesn't own and which would otherwise be restricted. Bajo determinadas condiciones, SAP BusinessObjects Business Intelligence Platform versión 4.x - versiones 420,430 permite al usuario Administrador visualizar, editar o modificar los derechos de objetos que no posee y que de otra manera estarían restringidos • https://launchpad.support.sap.com/#/notes/3169239 • CWE-863: Incorrect Authorization •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-27671
https://notcve.org/view.php?id=CVE-2022-27671
12 Apr 2022 — A CSRF token visible in the URL may possibly lead to information disclosure vulnerability. Un token de tipo CSRF visible en la URL podría conllevar a una vulnerabilidad de divulgación de información • https://launchpad.support.sap.com/#/notes/3130497 • CWE-201: Insertion of Sensitive Information Into Sent Data •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-28216
https://notcve.org/view.php?id=CVE-2022-28216
12 Apr 2022 — SAP BusinessObjects Business Intelligence Platform (BI Workspace) - version 420, is susceptible to a Cross-Site Scripting attack by an unauthenticated attacker due to improper sanitization of the user inputs on the network. On successful exploitation, an attacker can access certain reports causing a limited impact on confidentiality of the application data. SAP BusinessObjects Business Intelligence Platform (BI Workspace) - versión 420, es susceptible de sufrir un ataque de tipo Cross-Site Scripting por par... • https://launchpad.support.sap.com/#/notes/3150845 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 2%CPEs: 2EXPL: 3CVE-2022-28213 – SAP BusinessObjects Intelligence 4.3 - XML External Entity (XXE)
https://notcve.org/view.php?id=CVE-2022-28213
12 Apr 2022 — When a user access SOAP Web services in SAP BusinessObjects Business Intelligence Platform - version 420, 430, it does not sufficiently validate the XML document accepted from an untrusted source, which might result in arbitrary files retrieval from the server and in successful exploits of DoS. Cuando un usuario accede a servicios web SOAP en SAP BusinessObjects Business Intelligence Platform - versión 420, 430, no se comprueba suficientemente el documento XML aceptado desde una fuente no confiable, lo que ... • https://packetstorm.news/files/id/167046 • CWE-112: Missing XML Validation •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-22541
https://notcve.org/view.php?id=CVE-2022-22541
12 Apr 2022 — SAP BusinessObjects Business Intelligence Platform - versions 420, 430, may allow legitimate users to access information they shouldn't see through relational or OLAP connections. The main impact is the disclosure of company data to people that shouldn't or don't need to have access. SAP BusinessObjects Business Intelligence Platform - versiones 420, 430, puede permitir a usuarios legítimos acceder a información que no deberían ver mediante conexiones relacionales u OLAP. El principal impacto es la divulgac... • https://launchpad.support.sap.com/#/notes/3137191 • CWE-213: Exposure of Sensitive Information Due to Incompatible Policies •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-27667
https://notcve.org/view.php?id=CVE-2022-27667
12 Apr 2022 — Under certain conditions, SAP BusinessObjects Business Intelligence platform, Client Management Console (CMC) - version 430, allows an attacker to access information which would otherwise be restricted, leading to Information Disclosure. Bajo determinadas condiciones, la plataforma SAP BusinessObjects Business Intelligence, Client Management Console (CMC) - versión 430, permite a un atacante acceder a información que de otra manera estaría restringida, conllevando a una Divulgación de Información • https://launchpad.support.sap.com/#/notes/3145769 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2021-42061
https://notcve.org/view.php?id=CVE-2021-42061
14 Dec 2021 — SAP BusinessObjects Business Intelligence Platform (Web Intelligence) - version 420, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. This allows a low privileged attacker to retrieve some data from the victim but will never be able to modify the document and publish these modifications to the server. It impacts the "Quick Prompt" workflow. SAP BusinessObjects Business Intelligence Platform (Web Intelligence) - versión 420, no codifica suficientemen... • https://launchpad.support.sap.com/#/notes/3103677 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-40500
https://notcve.org/view.php?id=CVE-2021-40500
12 Oct 2021 — SAP BusinessObjects Business Intelligence Platform (Crystal Reports) - versions 420, 430, allows an unauthenticated attacker to exploit missing XML validations at endpoints to read sensitive data. These endpoints are normally exposed over the network and successful exploitation can enable the attacker to retrieve arbitrary files from the server. SAP BusinessObjects Business Intelligence Platform (Crystal Reports) - versiones 420, 430, permite a un atacante no autenticado explotar las comprobaciones XML falt... • https://launchpad.support.sap.com/#/notes/3074693 • CWE-611: Improper Restriction of XML External Entity Reference •