VYPR

Businessobjects

by SAP

CVEs (24)

  • CVE-2018-2408HigApr 10, 2018
    risk 0.48cvss 7.3epss 0.02

    Improper Session Management in SAP Business Objects, 4.0, from 4.10, from 4.20, 4.30, CMC/BI Launchpad/Fiorified BI Launchpad. In case of password change for a user, all other active sessions created using older password continues to be active.

  • CVE-2017-16683MedDec 12, 2017
    risk 0.42cvss 6.5epss 0.01

    Denial of Service (DOS) in SAP Business Objects Platform, Enterprise 4.10 and 4.20, that could allow an attacker to prevent legitimate users from accessing a service.

  • CVE-2026-44743LowJun 9, 2026
    risk 0.24cvss 3.7epss 0.00

    Under certain conditions, when an unauthorized attacker accesses a specific endpoint, SAP Business Objects application leaks sensitive information .This has a low impact on the confidentiality of the data. There is no impact on integrity and availability of the application.

  • CVE-2010-0219Oct 18, 2010
    risk 0.10cvss epss 0.90

    Apache Axis2, as used in dswsbobje.war in SAP BusinessObjects Enterprise XI 3.2, CA ARCserve D2D r15, and other products, has a default password of axis2 for the admin account, which makes it easier for remote attackers to execute arbitrary code by uploading a crafted web…

  • CVE-2007-6254Mar 20, 2008
    risk 0.01cvss epss 0.06

    Stack-based buffer overflow in the SAP Business Objects BusinessObjects RptViewerAX ActiveX control in RptViewerAX.dll in Business Objects 6.5 before CHF74 allows remote attackers to execute arbitrary code via unspecified vectors.

  • CVE-2026-24325Feb 10, 2026
    risk 0.00cvss epss 0.00

    SAP BusinessObjects Enterprise does not sufficiently encode user-controlled inputs, leading to Stored Cross-Site Scripting (XSS) vulnerability. This enables an admin user to inject malicious JavaScript into a website and the injected script gets executed when the user visits the…

  • CVE-2026-0490Feb 10, 2026
    risk 0.00cvss epss 0.00

    SAP BusinessObjects BI Platform allows an unauthenticated attacker to craft a specific network request to the trusted endpoint that breaks the authentication, which prevents the legitimate users from accessing the platform. As a result, it has a high impact on the availability…

  • CVE-2026-0485Feb 10, 2026
    risk 0.00cvss epss 0.00

    SAP BusinessObjects BI Platform allows an unauthenticated attacker to send specially crafted requests that could cause the Content Management Server (CMS) to crash and automatically restart. By repeatedly submitting these requests, the attacker could induce a persistent service…

  • CVE-2022-35228Jul 12, 2022
    risk 0.00cvss epss 0.00

    SAP BusinessObjects CMC allows an unauthenticated attacker to retrieve token information over the network which would otherwise be restricted. This can be achieved only when a legitimate user accesses the application and a local compromise occurs, like sniffing or social…

  • CVE-2022-31598Jul 12, 2022
    risk 0.00cvss epss 0.00

    Due to insufficient input validation, SAP Business Objects - version 420, allows an authenticated attacker to submit a malicious request through an allowed operation. On successful exploitation, an attacker can view or modify information causing a limited impact on…

  • CVE-2019-0259Feb 15, 2019
    risk 0.00cvss epss 0.02

    SAP BusinessObjects, versions 4.2 and 4.3, (Visual Difference) allows an attacker to upload any file (including script files) without proper file format validation.

  • CVE-2019-0251Feb 15, 2019
    risk 0.00cvss epss 0.01

    The Fiori Launchpad of SAP BusinessObjects, before versions 4.2 and 4.3, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

  • CVE-2015-7730Oct 15, 2015
    risk 0.00cvss epss 0.04

    SAP BusinessObjects BI Platform 4.1, BusinessObjects Edge 4.0, and BusinessObjects XI (BOXI) 3.1 R3 allow remote attackers to cause a denial of service (out-of-bounds read and listener crash) via a crafted GIOP packet, aka SAP Security Note 2001108.

  • CVE-2014-9387Dec 17, 2014
    risk 0.00cvss epss 0.05

    SAP BusinessObjects Edge 4.1 allows remote attackers to obtain the SI_PLATFORM_SEARCH_SERVER_LOGON_TOKEN token and gain privileges via a crafted CORBA call, aka SAP Note 2039905.

  • CVE-2014-8311Oct 16, 2014
    risk 0.00cvss epss 0.02

    SAP BusinessObjects Edge 4.0 allows remote attackers to obtain sensitive information via an InfoStore query to a CORBA listener.

  • CVE-2014-8310Oct 16, 2014
    risk 0.00cvss epss 0.03

    The CMS CORBA listener in SAP BusinessObjects BI Edge 4.0 allows remote attackers to cause a denial of service (server shutdown) via crafted OSCAFactory::Session ORB message.

  • CVE-2014-8309Oct 16, 2014
    risk 0.00cvss epss 0.02

    SAP BusinessObjects 4.0 and BusinessObjects XI (BOXI) R2 and 3.1 generates error messages for a failed logon attempt with different time delays depending on whether the user account exists, which allows remote attackers to enumerate valid usernames via SecEnterprise…

  • CVE-2014-8308Oct 16, 2014
    risk 0.00cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in the Send to Inbox functionality in SAP BusinessObjects BI EDGE 4.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

  • CVE-2014-3134Apr 30, 2014
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in the InfoView application in SAP BusinessObjects allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

  • CVE-2010-3983Oct 18, 2010
    risk 0.00cvss epss 0.02

    CmcApp in SAP BusinessObjects Enterprise XI 3.2 allows remote authenticated users to gain privileges via vectors involving the Program Job Server and the Program Login property.

Page 1 of 2