CVE-2021-40500
https://notcve.org/view.php?id=CVE-2021-40500
SAP BusinessObjects Business Intelligence Platform (Crystal Reports) - versions 420, 430, allows an unauthenticated attacker to exploit missing XML validations at endpoints to read sensitive data. These endpoints are normally exposed over the network and successful exploitation can enable the attacker to retrieve arbitrary files from the server. SAP BusinessObjects Business Intelligence Platform (Crystal Reports) - versiones 420, 430, permite a un atacante no autenticado explotar las comprobaciones XML faltantes en los endpoints para leer datos confidenciales. Estos endpoints están normalmente expuestos a través de la red y una explotación con éxito puede permitir al atacante recuperar archivos arbitrarios del servidor • https://launchpad.support.sap.com/#/notes/3074693 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983 • CWE-611: Improper Restriction of XML External Entity Reference •
CVE-2019-0352
https://notcve.org/view.php?id=CVE-2019-0352
In SAP Business Objects Business Intelligence Platform, before versions 4.1, 4.2 and 4.3, some dynamic pages (like jsp) are cached, which leads to an attacker can see the sensitive information via cache and can open the dynamic pages even after logout. En SAP Business Objects Business Intelligence Platform, versiones anteriores a 4.1, 4.2 y 4.3, algunas páginas dinámicas (como jsp) son almacenadas en caché, lo que conlleva a que un atacante pueda visualizar la información confidencial por medio de la caché y puede abrir las páginas dinámicas incluso luego de cerrar sesión. • https://launchpad.support.sap.com/#/notes/2735924 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=525962506 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2019-0269
https://notcve.org/view.php?id=CVE-2019-0269
SAP BusinessObjects Business Intelligence Platform (BI Workspace), versions 4.10 and 4.20, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. SAP BusinessObjects Business Intelligence Platform (BI Workspace), en versiones 4.10 y 4.20, no cifra de manera suficiente las entradas controladas por el usuario, conduciendo a una vulnerabilidad de Cross-Site Scripting (XSS). • http://www.securityfocus.com/bid/107359 https://launchpad.support.sap.com/#/notes/2693962 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=515408080 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-2471
https://notcve.org/view.php?id=CVE-2018-2471
Under certain conditions SAP BusinessObjects Business Intelligence Platform 4.10 and 4.20 allows an attacker to access information which would otherwise be restricted. En ciertas condiciones, SAP BusinessObjects Business Intelligence Platform, en versiones 4.10 y 4.20, permite que un atacante acceda a información que normalmente estaría restringida. • http://www.securityfocus.com/bid/105530 https://launchpad.support.sap.com/#/notes/2654905 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=500633095 •
CVE-2018-2427
https://notcve.org/view.php?id=CVE-2018-2427
SAP BusinessObjects Business Intelligence Suite, versions 4.10 and 4.20, and SAP Crystal Reports (version for Visual Studio .NET, Version 2010) allows an attacker to inject code that can be executed by the application. An attacker could thereby control the behaviour of the application. SAP BusinessObjects Business Intelligence Suite, en versiones 4.10 y 4.20, y SAP Crystal Reports (versión para Visual Studio .NET, Version 2010) permite que un atacante inyecte código que puede ser ejecutado por la aplicación. Un atacante podría, por lo tanto, controlar el comportamiento de la aplicación. • http://www.securityfocus.com/bid/104715 https://launchpad.support.sap.com/#/notes/2620738 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=497256000 • CWE-94: Improper Control of Generation of Code ('Code Injection') •