Businessobjects
by SAP
CVEs (24)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-2408 | Hig | 0.48 | 7.3 | 0.02 | Apr 10, 2018 | Improper Session Management in SAP Business Objects, 4.0, from 4.10, from 4.20, 4.30, CMC/BI Launchpad/Fiorified BI Launchpad. In case of password change for a user, all other active sessions created using older password continues to be active. | ||
| CVE-2017-16683 | Med | 0.42 | 6.5 | 0.01 | Dec 12, 2017 | Denial of Service (DOS) in SAP Business Objects Platform, Enterprise 4.10 and 4.20, that could allow an attacker to prevent legitimate users from accessing a service. | ||
| CVE-2026-44743 | Low | 0.24 | 3.7 | 0.00 | Jun 9, 2026 | Under certain conditions, when an unauthorized attacker accesses a specific endpoint, SAP Business Objects application leaks sensitive information .This has a low impact on the confidentiality of the data. There is no impact on integrity and availability of the application. | ||
| CVE-2010-0219 | 0.10 | — | 0.90 | Oct 18, 2010 | Apache Axis2, as used in dswsbobje.war in SAP BusinessObjects Enterprise XI 3.2, CA ARCserve D2D r15, and other products, has a default password of axis2 for the admin account, which makes it easier for remote attackers to execute arbitrary code by uploading a crafted web… | |||
| CVE-2007-6254 | 0.01 | — | 0.06 | Mar 20, 2008 | Stack-based buffer overflow in the SAP Business Objects BusinessObjects RptViewerAX ActiveX control in RptViewerAX.dll in Business Objects 6.5 before CHF74 allows remote attackers to execute arbitrary code via unspecified vectors. | |||
| CVE-2026-24325 | 0.00 | — | 0.00 | Feb 10, 2026 | SAP BusinessObjects Enterprise does not sufficiently encode user-controlled inputs, leading to Stored Cross-Site Scripting (XSS) vulnerability. This enables an admin user to inject malicious JavaScript into a website and the injected script gets executed when the user visits the… | |||
| CVE-2026-0490 | 0.00 | — | 0.00 | Feb 10, 2026 | SAP BusinessObjects BI Platform allows an unauthenticated attacker to craft a specific network request to the trusted endpoint that breaks the authentication, which prevents the legitimate users from accessing the platform. As a result, it has a high impact on the availability… | |||
| CVE-2026-0485 | 0.00 | — | 0.00 | Feb 10, 2026 | SAP BusinessObjects BI Platform allows an unauthenticated attacker to send specially crafted requests that could cause the Content Management Server (CMS) to crash and automatically restart. By repeatedly submitting these requests, the attacker could induce a persistent service… | |||
| CVE-2022-35228 | 0.00 | — | 0.00 | Jul 12, 2022 | SAP BusinessObjects CMC allows an unauthenticated attacker to retrieve token information over the network which would otherwise be restricted. This can be achieved only when a legitimate user accesses the application and a local compromise occurs, like sniffing or social… | |||
| CVE-2022-31598 | 0.00 | — | 0.00 | Jul 12, 2022 | Due to insufficient input validation, SAP Business Objects - version 420, allows an authenticated attacker to submit a malicious request through an allowed operation. On successful exploitation, an attacker can view or modify information causing a limited impact on… | |||
| CVE-2019-0259 | 0.00 | — | 0.02 | Feb 15, 2019 | SAP BusinessObjects, versions 4.2 and 4.3, (Visual Difference) allows an attacker to upload any file (including script files) without proper file format validation. | |||
| CVE-2019-0251 | 0.00 | — | 0.01 | Feb 15, 2019 | The Fiori Launchpad of SAP BusinessObjects, before versions 4.2 and 4.3, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | |||
| CVE-2015-7730 | 0.00 | — | 0.04 | Oct 15, 2015 | SAP BusinessObjects BI Platform 4.1, BusinessObjects Edge 4.0, and BusinessObjects XI (BOXI) 3.1 R3 allow remote attackers to cause a denial of service (out-of-bounds read and listener crash) via a crafted GIOP packet, aka SAP Security Note 2001108. | |||
| CVE-2014-9387 | 0.00 | — | 0.05 | Dec 17, 2014 | SAP BusinessObjects Edge 4.1 allows remote attackers to obtain the SI_PLATFORM_SEARCH_SERVER_LOGON_TOKEN token and gain privileges via a crafted CORBA call, aka SAP Note 2039905. | |||
| CVE-2014-8311 | 0.00 | — | 0.02 | Oct 16, 2014 | SAP BusinessObjects Edge 4.0 allows remote attackers to obtain sensitive information via an InfoStore query to a CORBA listener. | |||
| CVE-2014-8310 | 0.00 | — | 0.03 | Oct 16, 2014 | The CMS CORBA listener in SAP BusinessObjects BI Edge 4.0 allows remote attackers to cause a denial of service (server shutdown) via crafted OSCAFactory::Session ORB message. | |||
| CVE-2014-8309 | 0.00 | — | 0.02 | Oct 16, 2014 | SAP BusinessObjects 4.0 and BusinessObjects XI (BOXI) R2 and 3.1 generates error messages for a failed logon attempt with different time delays depending on whether the user account exists, which allows remote attackers to enumerate valid usernames via SecEnterprise… | |||
| CVE-2014-8308 | 0.00 | — | 0.02 | Oct 16, 2014 | Cross-site scripting (XSS) vulnerability in the Send to Inbox functionality in SAP BusinessObjects BI EDGE 4.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||
| CVE-2014-3134 | 0.00 | — | 0.01 | Apr 30, 2014 | Cross-site scripting (XSS) vulnerability in the InfoView application in SAP BusinessObjects allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||
| CVE-2010-3983 | 0.00 | — | 0.02 | Oct 18, 2010 | CmcApp in SAP BusinessObjects Enterprise XI 3.2 allows remote authenticated users to gain privileges via vectors involving the Program Job Server and the Program Login property. |
- risk 0.48cvss 7.3epss 0.02
Improper Session Management in SAP Business Objects, 4.0, from 4.10, from 4.20, 4.30, CMC/BI Launchpad/Fiorified BI Launchpad. In case of password change for a user, all other active sessions created using older password continues to be active.
- risk 0.42cvss 6.5epss 0.01
Denial of Service (DOS) in SAP Business Objects Platform, Enterprise 4.10 and 4.20, that could allow an attacker to prevent legitimate users from accessing a service.
- risk 0.24cvss 3.7epss 0.00
Under certain conditions, when an unauthorized attacker accesses a specific endpoint, SAP Business Objects application leaks sensitive information .This has a low impact on the confidentiality of the data. There is no impact on integrity and availability of the application.
- CVE-2010-0219Oct 18, 2010risk 0.10cvss —epss 0.90
Apache Axis2, as used in dswsbobje.war in SAP BusinessObjects Enterprise XI 3.2, CA ARCserve D2D r15, and other products, has a default password of axis2 for the admin account, which makes it easier for remote attackers to execute arbitrary code by uploading a crafted web…
- CVE-2007-6254Mar 20, 2008risk 0.01cvss —epss 0.06
Stack-based buffer overflow in the SAP Business Objects BusinessObjects RptViewerAX ActiveX control in RptViewerAX.dll in Business Objects 6.5 before CHF74 allows remote attackers to execute arbitrary code via unspecified vectors.
- CVE-2026-24325Feb 10, 2026risk 0.00cvss —epss 0.00
SAP BusinessObjects Enterprise does not sufficiently encode user-controlled inputs, leading to Stored Cross-Site Scripting (XSS) vulnerability. This enables an admin user to inject malicious JavaScript into a website and the injected script gets executed when the user visits the…
- CVE-2026-0490Feb 10, 2026risk 0.00cvss —epss 0.00
SAP BusinessObjects BI Platform allows an unauthenticated attacker to craft a specific network request to the trusted endpoint that breaks the authentication, which prevents the legitimate users from accessing the platform. As a result, it has a high impact on the availability…
- CVE-2026-0485Feb 10, 2026risk 0.00cvss —epss 0.00
SAP BusinessObjects BI Platform allows an unauthenticated attacker to send specially crafted requests that could cause the Content Management Server (CMS) to crash and automatically restart. By repeatedly submitting these requests, the attacker could induce a persistent service…
- CVE-2022-35228Jul 12, 2022risk 0.00cvss —epss 0.00
SAP BusinessObjects CMC allows an unauthenticated attacker to retrieve token information over the network which would otherwise be restricted. This can be achieved only when a legitimate user accesses the application and a local compromise occurs, like sniffing or social…
- CVE-2022-31598Jul 12, 2022risk 0.00cvss —epss 0.00
Due to insufficient input validation, SAP Business Objects - version 420, allows an authenticated attacker to submit a malicious request through an allowed operation. On successful exploitation, an attacker can view or modify information causing a limited impact on…
- CVE-2019-0259Feb 15, 2019risk 0.00cvss —epss 0.02
SAP BusinessObjects, versions 4.2 and 4.3, (Visual Difference) allows an attacker to upload any file (including script files) without proper file format validation.
- CVE-2019-0251Feb 15, 2019risk 0.00cvss —epss 0.01
The Fiori Launchpad of SAP BusinessObjects, before versions 4.2 and 4.3, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
- CVE-2015-7730Oct 15, 2015risk 0.00cvss —epss 0.04
SAP BusinessObjects BI Platform 4.1, BusinessObjects Edge 4.0, and BusinessObjects XI (BOXI) 3.1 R3 allow remote attackers to cause a denial of service (out-of-bounds read and listener crash) via a crafted GIOP packet, aka SAP Security Note 2001108.
- CVE-2014-9387Dec 17, 2014risk 0.00cvss —epss 0.05
SAP BusinessObjects Edge 4.1 allows remote attackers to obtain the SI_PLATFORM_SEARCH_SERVER_LOGON_TOKEN token and gain privileges via a crafted CORBA call, aka SAP Note 2039905.
- CVE-2014-8311Oct 16, 2014risk 0.00cvss —epss 0.02
SAP BusinessObjects Edge 4.0 allows remote attackers to obtain sensitive information via an InfoStore query to a CORBA listener.
- CVE-2014-8310Oct 16, 2014risk 0.00cvss —epss 0.03
The CMS CORBA listener in SAP BusinessObjects BI Edge 4.0 allows remote attackers to cause a denial of service (server shutdown) via crafted OSCAFactory::Session ORB message.
- CVE-2014-8309Oct 16, 2014risk 0.00cvss —epss 0.02
SAP BusinessObjects 4.0 and BusinessObjects XI (BOXI) R2 and 3.1 generates error messages for a failed logon attempt with different time delays depending on whether the user account exists, which allows remote attackers to enumerate valid usernames via SecEnterprise…
- CVE-2014-8308Oct 16, 2014risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in the Send to Inbox functionality in SAP BusinessObjects BI EDGE 4.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- CVE-2014-3134Apr 30, 2014risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in the InfoView application in SAP BusinessObjects allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- CVE-2010-3983Oct 18, 2010risk 0.00cvss —epss 0.02
CmcApp in SAP BusinessObjects Enterprise XI 3.2 allows remote authenticated users to gain privileges via vectors involving the Program Job Server and the Program Login property.
Page 1 of 2