CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-22546
https://notcve.org/view.php?id=CVE-2022-22546
09 Feb 2022 — Due to improper HTML encoding in input control summary, an authorized attacker can execute XSS vulnerability in SAP Business Objects Web Intelligence (BI Launchpad) - version 420. Debido a una codificación HTML inapropiada en el resumen del control de entrada, un atacante autorizado puede ejecutar una vulnerabilidad de tipo XSS en SAP Business Objects Web Intelligence (BI Launchpad) - versión 420 • https://launchpad.support.sap.com/#/notes/3126748 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2021-42061
https://notcve.org/view.php?id=CVE-2021-42061
14 Dec 2021 — SAP BusinessObjects Business Intelligence Platform (Web Intelligence) - version 420, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. This allows a low privileged attacker to retrieve some data from the victim but will never be able to modify the document and publish these modifications to the server. It impacts the "Quick Prompt" workflow. SAP BusinessObjects Business Intelligence Platform (Web Intelligence) - versión 420, no codifica suficientemen... • https://launchpad.support.sap.com/#/notes/3103677 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2021-40497
https://notcve.org/view.php?id=CVE-2021-40497
12 Oct 2021 — SAP BusinessObjects Analysis (edition for OLAP) - versions 420, 430, allows an attacker to exploit certain application endpoints to read sensitive data. These endpoints are normally exposed over the network and successful exploitation could lead to exposure of some system specific data like its version. SAP BusinessObjects Analysis (edición para OLAP) - versiones 420, 430, permite a un atacante explotar determinados endpoints de la aplicación para leer datos confidenciales. Estos endpoints están normalmente... • https://launchpad.support.sap.com/#/notes/3098917 • CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2021-33697
https://notcve.org/view.php?id=CVE-2021-33697
15 Sep 2021 — Under certain conditions, SAP BusinessObjects Business Intelligence Platform (SAPUI5), versions - 420, 430, can allow an unauthenticated attacker to redirect users to a malicious site due to Reverse Tabnabbing vulnerabilities. Bajo determinadas condiciones, SAP BusinessObjects Business Intelligence Platform (SAPUI5), versiones - 420, 430, puede permitir que un atacante no autenticado redirija a usuarios a un sitio malicioso debido a las vulnerabilidades de tipo Reverse Tabnabbing • https://launchpad.support.sap.com/#/notes/3063048 • CWE-269: Improper Privilege Management CWE-1022: Use of Web Link to Untrusted Target with window.opener Access •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2021-33696
https://notcve.org/view.php?id=CVE-2021-33696
15 Sep 2021 — SAP BusinessObjects Business Intelligence Platform (Crystal Report), versions - 420, 430, does not sufficiently encode user controlled inputs and therefore an authorized attacker can exploit a XSS vulnerability, leading to non-permanently deface or modify displayed content from a Web site. SAP BusinessObjects Business Intelligence Platform (Crystal Report), versiones - 420, 430, no codifica suficientemente las entradas controladas por el usuario y, por lo tanto, un atacante autorizado puede explotar una vul... • https://launchpad.support.sap.com/#/notes/3062085 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2021-33679
https://notcve.org/view.php?id=CVE-2021-33679
14 Sep 2021 — The SAP BusinessObjects BI Platform version - 420 allows an attacker, who has basic access to the application, to inject a malicious script while creating a new module document, file, or folder. When another user visits that page, the stored malicious script will execute in their session, hence allowing the attacker to compromise their confidentiality and integrity. SAP BusinessObjects BI Platform versión - 420 permite a un atacante, que posee acceso básico a la aplicación, inyectar un script malicioso mien... • https://launchpad.support.sap.com/#/notes/3055180 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2021-33667
https://notcve.org/view.php?id=CVE-2021-33667
14 Jul 2021 — Under certain conditions, SAP Business Objects Web Intelligence (BI Launchpad) versions - 420, 430, allows an attacker to access jsp source code, through SDK calls, of Analytical Reporting bundle, a part of the frontend application, which would otherwise be restricted. Bajo determinadas condiciones, SAP Business Objects Web Intelligence (BI Launchpad) versiones 420 y 430, permiten a un atacante acceder al código fuente jsp, mediante llamadas al SDK, del paquete Analytical Reporting, una parte de la aplicaci... • https://launchpad.support.sap.com/#/notes/3044751 •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2021-21444
https://notcve.org/view.php?id=CVE-2021-21444
09 Feb 2021 — SAP Business Objects BI Platform, versions - 410, 420, 430, allows multiple X-Frame-Options headers entries in the response headers, which may not be predictably treated by all user agents. This could, as a result, nullify the added X-Frame-Options header leading to Clickjacking attack. SAP Business Objects BI Platform, versiones - 410, 420, 430, permite múltiples entradas de encabezados X-Frame-Options en los encabezados de respuesta, que pueden no ser tratados de manera predecible por todos los agentes de... • https://launchpad.support.sap.com/#/notes/2935791 • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2021-21447
https://notcve.org/view.php?id=CVE-2021-21447
12 Jan 2021 — SAP BusinessObjects Business Intelligence platform, versions 410, 420, allows an authenticated attacker to inject malicious JavaScript payload into the custom value input field of an Input Control, which can be executed by User who views the relevant application content, which leads to Stored Cross-Site Scripting. La plataforma SAP BusinessObjects Business Intelligence, versiones 410, 420, permite a un atacante autenticado inyectar una carga útil de JavaScript maliciosa en el campo de entrada de valor perso... • https://launchpad.support.sap.com/#/notes/2965154 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •