CVE-2022-22541
https://notcve.org/view.php?id=CVE-2022-22541
SAP BusinessObjects Business Intelligence Platform - versions 420, 430, may allow legitimate users to access information they shouldn't see through relational or OLAP connections. The main impact is the disclosure of company data to people that shouldn't or don't need to have access. SAP BusinessObjects Business Intelligence Platform - versiones 420, 430, puede permitir a usuarios legítimos acceder a información que no deberían ver mediante conexiones relacionales u OLAP. El principal impacto es la divulgación de datos de la empresa a personas que no deberían o no necesitan tener acceso • https://launchpad.support.sap.com/#/notes/3137191 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-213: Exposure of Sensitive Information Due to Incompatible Policies •
CVE-2022-22546
https://notcve.org/view.php?id=CVE-2022-22546
Due to improper HTML encoding in input control summary, an authorized attacker can execute XSS vulnerability in SAP Business Objects Web Intelligence (BI Launchpad) - version 420. Debido a una codificación HTML inapropiada en el resumen del control de entrada, un atacante autorizado puede ejecutar una vulnerabilidad de tipo XSS en SAP Business Objects Web Intelligence (BI Launchpad) - versión 420 • https://launchpad.support.sap.com/#/notes/3126748 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-42061
https://notcve.org/view.php?id=CVE-2021-42061
SAP BusinessObjects Business Intelligence Platform (Web Intelligence) - version 420, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. This allows a low privileged attacker to retrieve some data from the victim but will never be able to modify the document and publish these modifications to the server. It impacts the "Quick Prompt" workflow. SAP BusinessObjects Business Intelligence Platform (Web Intelligence) - versión 420, no codifica suficientemente las entradas controladas por el usuario, resultando en una vulnerabilidad de tipo Cross-Site Scripting (XSS). Esto permite a un atacante con pocos privilegios recuperar algunos datos de la víctima, pero no podrá modificar el documento y publicar estas modificaciones en el servidor. • https://launchpad.support.sap.com/#/notes/3103677 https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+December+2021 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-40497
https://notcve.org/view.php?id=CVE-2021-40497
SAP BusinessObjects Analysis (edition for OLAP) - versions 420, 430, allows an attacker to exploit certain application endpoints to read sensitive data. These endpoints are normally exposed over the network and successful exploitation could lead to exposure of some system specific data like its version. SAP BusinessObjects Analysis (edición para OLAP) - versiones 420, 430, permite a un atacante explotar determinados endpoints de la aplicación para leer datos confidenciales. Estos endpoints están normalmente expuestos a través de la red y una explotación exitosa podría conllevar a una exposición de algunos datos específicos del sistema como su versión • https://launchpad.support.sap.com/#/notes/3098917 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983 • CWE-668: Exposure of Resource to Wrong Sphere •
CVE-2021-33697
https://notcve.org/view.php?id=CVE-2021-33697
Under certain conditions, SAP BusinessObjects Business Intelligence Platform (SAPUI5), versions - 420, 430, can allow an unauthenticated attacker to redirect users to a malicious site due to Reverse Tabnabbing vulnerabilities. Bajo determinadas condiciones, SAP BusinessObjects Business Intelligence Platform (SAPUI5), versiones - 420, 430, puede permitir que un atacante no autenticado redirija a usuarios a un sitio malicioso debido a las vulnerabilidades de tipo Reverse Tabnabbing • https://launchpad.support.sap.com/#/notes/3063048 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806 • CWE-269: Improper Privilege Management CWE-1022: Use of Web Link to Untrusted Target with window.opener Access •