CVE-2022-29619
https://notcve.org/view.php?id=CVE-2022-29619
Under certain conditions SAP BusinessObjects Business Intelligence Platform 4.x - versions 420,430 allows user Administrator to view, edit or modify rights of objects it doesn't own and which would otherwise be restricted. Bajo determinadas condiciones, SAP BusinessObjects Business Intelligence Platform versión 4.x - versiones 420,430 permite al usuario Administrador visualizar, editar o modificar los derechos de objetos que no posee y que de otra manera estarían restringidos • https://launchpad.support.sap.com/#/notes/3169239 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-863: Incorrect Authorization •
CVE-2022-28214
https://notcve.org/view.php?id=CVE-2022-28214
During an update of SAP BusinessObjects Enterprise, Central Management Server (CMS) - versions 420, 430, authentication credentials are being exposed in Sysmon event logs. This Information Disclosure could cause a high impact on systems’ Confidentiality, Integrity, and Availability. Durante una actualización de SAP BusinessObjects Enterprise, Central Management Server (CMS) - versiones 420, 430, las credenciales de autenticación están siendo expuestas en los registros de eventos de Sysmon. Esta divulgación de información podría causar un alto impacto en la confidencialidad, integridad y disponibilidad de los sistemas • https://launchpad.support.sap.com/#/notes/2998510 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-312: Cleartext Storage of Sensitive Information •
CVE-2022-27671
https://notcve.org/view.php?id=CVE-2022-27671
A CSRF token visible in the URL may possibly lead to information disclosure vulnerability. Un token de tipo CSRF visible en la URL podría conllevar a una vulnerabilidad de divulgación de información • https://launchpad.support.sap.com/#/notes/3130497 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-201: Insertion of Sensitive Information Into Sent Data •
CVE-2022-28216
https://notcve.org/view.php?id=CVE-2022-28216
SAP BusinessObjects Business Intelligence Platform (BI Workspace) - version 420, is susceptible to a Cross-Site Scripting attack by an unauthenticated attacker due to improper sanitization of the user inputs on the network. On successful exploitation, an attacker can access certain reports causing a limited impact on confidentiality of the application data. SAP BusinessObjects Business Intelligence Platform (BI Workspace) - versión 420, es susceptible de sufrir un ataque de tipo Cross-Site Scripting por parte de un atacante no autenticado debido a un saneo inapropiado de las entradas del usuario en la red. En una explotación con éxito, un atacante puede acceder a determinados informes causando un impacto limitado en la confidencialidad de los datos de la aplicación • https://launchpad.support.sap.com/#/notes/3150845 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-28213 – SAP BusinessObjects Intelligence 4.3 - XML External Entity (XXE)
https://notcve.org/view.php?id=CVE-2022-28213
When a user access SOAP Web services in SAP BusinessObjects Business Intelligence Platform - version 420, 430, it does not sufficiently validate the XML document accepted from an untrusted source, which might result in arbitrary files retrieval from the server and in successful exploits of DoS. Cuando un usuario accede a servicios web SOAP en SAP BusinessObjects Business Intelligence Platform - versión 420, 430, no se comprueba suficientemente el documento XML aceptado desde una fuente no confiable, lo que podría resultar en una recuperación de archivos arbitrarios desde el servidor y a explotaciones con éxito de DoS SAP BusinessObjects Intelligence version 4.3 suffers from an XML external entity injection vulnerability. • https://www.exploit-db.com/exploits/50900 http://packetstormsecurity.com/files/167046/SAP-BusinessObjects-Intelligence-4.3-XML-Injection.html https://launchpad.support.sap.com/#/notes/3055044 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-112: Missing XML Validation •