CVSS: 4.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-23185 – Information Disclosure in SAP Business Objects Business Intelligence Platform
https://notcve.org/view.php?id=CVE-2025-23185
11 Mar 2025 — Due to improper error handling in SAP Business Objects Business Intelligence Platform, technical details of the application are revealed in exceptions thrown to the user and in stack traces. Only an attacker with administrator level privileges has access to this disclosed information, and they could use it to craft further exploits. There is no impact on the integrity and availability of the application. • https://me.sap.com/notes/3549494 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 7.6EPSS: 0%CPEs: 2EXPL: 0CVE-2023-42478 – Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform
https://notcve.org/view.php?id=CVE-2023-42478
12 Dec 2023 — SAP Business Objects Business Intelligence Platform is vulnerable to stored XSS allowing an attacker to upload agnostic documents in the system which when opened by any other user could lead to high impact on integrity of the application. SAP Business Objects Business Intelligence Platform es vulnerable al XSS almacenado, lo que permite a un atacante cargar documentos independientes en el sistema que, cuando los abre cualquier otro usuario, podrían tener un alto impacto en la integridad de la aplicación. SA... • https://me.sap.com/notes/3382353 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 1%CPEs: 2EXPL: 0CVE-2023-25617 – OS Command Execution vulnerability in SAP Business Objects Business Intelligence Platform (Adaptive Job Server)
https://notcve.org/view.php?id=CVE-2023-25617
14 Mar 2023 — SAP Business Object (Adaptive Job Server) - versions 420, 430, allows remote execution of arbitrary commands on Unix, when program objects execution is enabled, to authenticated users with scheduling rights, using the BI Launchpad, Central Management Console or a custom application based on the public java SDK. Programs could impact the confidentiality, integrity and availability of the system. • https://launchpad.support.sap.com/#/notes/3283438 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.9EPSS: 1%CPEs: 2EXPL: 0CVE-2023-25616 – Code Injection vulnerability in SAP Business Objects Business Intelligence Platform (CMC)
https://notcve.org/view.php?id=CVE-2023-25616
14 Mar 2023 — In some scenario, SAP Business Objects Business Intelligence Platform (CMC) - versions 420, 430, Program Object execution can lead to code injection vulnerability which could allow an attacker to gain access to resources that are allowed by extra privileges. Successful attack could highly impact the confidentiality, Integrity, and Availability of the system. In some scenario, SAP Business Objects Business Intelligence Platform (CMC) - versions 420, 430, Program Object execution can lead to code injection vu... • https://launchpad.support.sap.com/#/notes/3245526 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-23856
https://notcve.org/view.php?id=CVE-2023-23856
14 Feb 2023 — In SAP BusinessObjects Business Intelligence (Web Intelligence user interface) - version 430, some calls return json with wrong content type in the header of the response. As a result, a custom application that calls directly the jsp of Web Intelligence DHTML may be vulnerable to XSS attacks. On successful exploitation an attacker can cause a low impact on integrity of the application. • https://launchpad.support.sap.com/#/notes/3263863 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-0015 – Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence (Web Intelligence)
https://notcve.org/view.php?id=CVE-2023-0015
10 Jan 2023 — In SAP BusinessObjects Business Intelligence Platform (Web Intelligence user interface) - version 420, some calls return json with wrong content type in the header of the response. As a result, a custom application that calls directly the jsp of Web Intelligence DHTML may be vulnerable to XSS attacks. On successful exploitation an attacker can cause limited impact on confidentiality and integrity of the application. • https://launchpad.support.sap.com/#/notes/3251447 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.9EPSS: 0%CPEs: 2EXPL: 0CVE-2022-41267
https://notcve.org/view.php?id=CVE-2022-41267
13 Dec 2022 — SAP Business Objects Platform - versions 420, and 430, allows an attacker with normal BI user privileges to upload/replace any file on Business Objects server at the operating system level, enabling the attacker to take full control of the system causing a high impact on confidentiality, integrity, and availability of the application. SAP Business Objects Platform: versiones 420 y 430, permite a un atacante con privilegios de usuario de BI normal cargar/reemplazar cualquier archivo en el servidor de Busines... • https://launchpad.support.sap.com/#/notes/3239475 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2022-41263
https://notcve.org/view.php?id=CVE-2022-41263
12 Dec 2022 — Due to a missing authentication check, SAP Business Objects Business Intelligence Platform (Web Intelligence) - versions 420, 430, allows an authenticated non-administrator attacker to modify the data source information for a document that is otherwise restricted. On successful exploitation, the attacker can modify information causing a limited impact on the integrity of the application. • https://launchpad.support.sap.com/#/notes/3249648 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-31596
https://notcve.org/view.php?id=CVE-2022-31596
12 Dec 2022 — Under certain conditions, an attacker authenticated as a CMS administrator and with high privileges access to the Network in SAP BusinessObjects Business Intelligence Platform (Monitoring DB) - version 430, can access BOE Monitoring database to retrieve and modify (non-personal) system data which would otherwise be restricted. Also, a potential attack could be used to leave the CMS's scope and impact the database. A successful attack could have a low impact on confidentiality, a high impact on integrity, an... • https://launchpad.support.sap.com/#/notes/3213507 • CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 8.0EPSS: 0%CPEs: 2EXPL: 0CVE-2022-39013
https://notcve.org/view.php?id=CVE-2022-39013
11 Oct 2022 — Under certain conditions an authenticated attacker can get access to OS credentials. Getting access to OS credentials enables the attacker to modify system data and make the system unavailable leading to high impact on confidentiality and low impact on integrity and availability of the application. Bajo determinadas condiciones, un atacante autenticado puede obtener acceso a las credenciales del Sistema Operativo. Obtener acceso a las credenciales del Sistema Operativo permite al atacante modificar los dato... • https://launchpad.support.sap.com/#/notes/3229132 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •