CVSS: 7.7EPSS: 0%CPEs: 3EXPL: 0CVE-2024-37179 – Insecure File Operations vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Intelligence)
https://notcve.org/view.php?id=CVE-2024-37179
SAP BusinessObjects Business Intelligence Platform allows an authenticated user to send a specially crafted request to the Web Intelligence Reporting Server to download any file from the machine hosting the service, causing high impact on confidentiality of the application. • https://me.sap.com/notes/3478615 https://url.sap/sapsecuritypatchday • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.7EPSS: 0%CPEs: 3EXPL: 0CVE-2024-25646 – Information Disclosure vulnerability in SAP BusinessObjects Web Intelligence
https://notcve.org/view.php?id=CVE-2024-25646
Due to improper validation, SAP BusinessObject Business Intelligence Launch Pad allows an authenticated attacker to access operating system information using crafted document. On successful exploitation there could be a considerable impact on confidentiality of the application. Debido a una validación incorrecta, SAP BusinessObject Business Intelligence Launch Pad permite que un atacante autenticado acceda a información del sistema operativo mediante un documento manipulado. Una explotación exitosa podría tener un impacto considerable en la confidencialidad de la solicitud. • https://me.sap.com/notes/3421384 https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html?anchorId=section_370125364 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-42476 – Cross Site Scripting vulnerability in SAP BusinessObjects Web Intelligence
https://notcve.org/view.php?id=CVE-2023-42476
SAP Business Objects Web Intelligence - version 420, allows an authenticated attacker to inject JavaScript code into Web Intelligence documents which is then executed in the victim’s browser each time the vulnerable page is visited. Successful exploitation can lead to exposure of the data that the user has access to. In the worst case, attacker could access data from reporting databases. SAP Business Objects Web Intelligence: versión 420, permite a un atacante autenticado inyectar código JavaScript en documentos de Web Intelligence que luego se ejecuta en el navegador de la víctima cada vez que se visita la página vulnerable. La explotación exitosa puede llevar a la exposición de los datos a los que tiene acceso el usuario. • https://me.sap.com/notes/3382353 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-42474 – Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Web Intelligence
https://notcve.org/view.php?id=CVE-2023-42474
SAP BusinessObjects Web Intelligence - version 420, has a URL with parameter that could be vulnerable to XSS attack. The attacker could send a malicious link to a user that would possibly allow an attacker to retrieve the sensitive information. SAP BusinessObjects Web Intelligence - versión 420, tiene una URL con un parámetro que podría ser vulnerable a un ataque XSS. El atacante podría enviar un enlace malicioso a un usuario que posiblemente le permitiría recuperar información confidencial. • https://me.sap.com/notes/3372991 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-22546
https://notcve.org/view.php?id=CVE-2022-22546
Due to improper HTML encoding in input control summary, an authorized attacker can execute XSS vulnerability in SAP Business Objects Web Intelligence (BI Launchpad) - version 420. Debido a una codificación HTML inapropiada en el resumen del control de entrada, un atacante autorizado puede ejecutar una vulnerabilidad de tipo XSS en SAP Business Objects Web Intelligence (BI Launchpad) - versión 420 • https://launchpad.support.sap.com/#/notes/3126748 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •