CVE-2022-28216
https://notcve.org/view.php?id=CVE-2022-28216
SAP BusinessObjects Business Intelligence Platform (BI Workspace) - version 420, is susceptible to a Cross-Site Scripting attack by an unauthenticated attacker due to improper sanitization of the user inputs on the network. On successful exploitation, an attacker can access certain reports causing a limited impact on confidentiality of the application data. SAP BusinessObjects Business Intelligence Platform (BI Workspace) - versión 420, es susceptible de sufrir un ataque de tipo Cross-Site Scripting por parte de un atacante no autenticado debido a un saneo inapropiado de las entradas del usuario en la red. En una explotación con éxito, un atacante puede acceder a determinados informes causando un impacto limitado en la confidencialidad de los datos de la aplicación • https://launchpad.support.sap.com/#/notes/3150845 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-28213 – SAP BusinessObjects Intelligence 4.3 - XML External Entity (XXE)
https://notcve.org/view.php?id=CVE-2022-28213
When a user access SOAP Web services in SAP BusinessObjects Business Intelligence Platform - version 420, 430, it does not sufficiently validate the XML document accepted from an untrusted source, which might result in arbitrary files retrieval from the server and in successful exploits of DoS. Cuando un usuario accede a servicios web SOAP en SAP BusinessObjects Business Intelligence Platform - versión 420, 430, no se comprueba suficientemente el documento XML aceptado desde una fuente no confiable, lo que podría resultar en una recuperación de archivos arbitrarios desde el servidor y a explotaciones con éxito de DoS SAP BusinessObjects Intelligence version 4.3 suffers from an XML external entity injection vulnerability. • https://www.exploit-db.com/exploits/50900 http://packetstormsecurity.com/files/167046/SAP-BusinessObjects-Intelligence-4.3-XML-Injection.html https://launchpad.support.sap.com/#/notes/3055044 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-112: Missing XML Validation •
CVE-2022-22541
https://notcve.org/view.php?id=CVE-2022-22541
SAP BusinessObjects Business Intelligence Platform - versions 420, 430, may allow legitimate users to access information they shouldn't see through relational or OLAP connections. The main impact is the disclosure of company data to people that shouldn't or don't need to have access. SAP BusinessObjects Business Intelligence Platform - versiones 420, 430, puede permitir a usuarios legítimos acceder a información que no deberían ver mediante conexiones relacionales u OLAP. El principal impacto es la divulgación de datos de la empresa a personas que no deberían o no necesitan tener acceso • https://launchpad.support.sap.com/#/notes/3137191 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-213: Exposure of Sensitive Information Due to Incompatible Policies •
CVE-2022-27667
https://notcve.org/view.php?id=CVE-2022-27667
Under certain conditions, SAP BusinessObjects Business Intelligence platform, Client Management Console (CMC) - version 430, allows an attacker to access information which would otherwise be restricted, leading to Information Disclosure. Bajo determinadas condiciones, la plataforma SAP BusinessObjects Business Intelligence, Client Management Console (CMC) - versión 430, permite a un atacante acceder a información que de otra manera estaría restringida, conllevando a una Divulgación de Información • https://launchpad.support.sap.com/#/notes/3145769 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2021-42061
https://notcve.org/view.php?id=CVE-2021-42061
SAP BusinessObjects Business Intelligence Platform (Web Intelligence) - version 420, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. This allows a low privileged attacker to retrieve some data from the victim but will never be able to modify the document and publish these modifications to the server. It impacts the "Quick Prompt" workflow. SAP BusinessObjects Business Intelligence Platform (Web Intelligence) - versión 420, no codifica suficientemente las entradas controladas por el usuario, resultando en una vulnerabilidad de tipo Cross-Site Scripting (XSS). Esto permite a un atacante con pocos privilegios recuperar algunos datos de la víctima, pero no podrá modificar el documento y publicar estas modificaciones en el servidor. • https://launchpad.support.sap.com/#/notes/3103677 https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+December+2021 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •