Unrated severityNVD Advisory· Published Oct 16, 2014· Updated May 6, 2026

CVE-2014-8309

Description

SAP BusinessObjects 4.0 and BusinessObjects XI (BOXI) R2 and 3.1 generates error messages for a failed logon attempt with different time delays depending on whether the user account exists, which allows remote attackers to enumerate valid usernames via SecEnterprise authentication requests to the Session web service.

Affected products

SAP/Businessobjects
cpe:2.3:a:sap:businessobjects:4.0:*:*:*:*:*:*:*
SAP/Businessobjects Xi2 versions
cpe:2.3:a:sap:businessobjects_xi:3.1:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:sap:businessobjects_xi:3.1:*:*:*:*:*:*:*
- cpe:2.3:a:sap:businessobjects_xi:r2:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

scn.sap.com/docs/DOC-8218nvdVendor Advisory
service.sap.com/sap/support/notes/2001109nvdVendor Advisory
seclists.org/fulldisclosure/2014/Oct/42nvd
www.onapsis.com/resources/get.phpnvd
www.securityfocus.com/archive/1/533647/100/0/threadednvd
www.securityfocus.com/bid/70304nvd
exchange.xforce.ibmcloud.com/vulnerabilities/96874nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000