Sap Businessobjects Business Intelligence (bi Workspace)
by SAP
CVEs (13)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-2442 | Hig | 0.57 | 8.8 | 0.01 | Aug 14, 2018 | In SAP BusinessObjects Business Intelligence, versions 4.0, 4.1 and 4.2, while viewing a Web Intelligence report from BI Launchpad, the user session details captured by an HTTP analysis tool could be reused in a HTML page while the user session is still valid. | ||
| CVE-2018-2427 | Hig | 0.57 | 8.8 | 0.02 | Jul 10, 2018 | SAP BusinessObjects Business Intelligence Suite, versions 4.10 and 4.20, and SAP Crystal Reports (version for Visual Studio .NET, Version 2010) allows an attacker to inject code that can be executed by the application. An attacker could thereby control the behaviour of the… | ||
| CVE-2018-2446 | Hig | 0.49 | 7.5 | 0.02 | Aug 14, 2018 | Admin tools in SAP BusinessObjects Business Intelligence, versions 4.1, 4.2, allow an unauthenticated user to read sensitive information (server name), hence leading to an information disclosure. | ||
| CVE-2018-2447 | Med | 0.42 | 6.5 | 0.01 | Aug 14, 2018 | SAP BusinessObjects Business Intelligence (Launchpad Web Intelligence), version 4.2, allows an attacker to execute crafted InfoObject queries, exposing the CMS InfoObjects database. | ||
| CVE-2018-2431 | Med | 0.40 | 6.1 | 0.01 | Jul 10, 2018 | SAP BusinessObjects Business Intelligence Suite, versions 4.10 and 4.20, does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | ||
| CVE-2025-23192 | 0.00 | — | 0.00 | Jun 10, 2025 | SAP BusinessObjects Business Intelligence (BI Workspace) allows an unauthenticated attacker to craft and store malicious script within a workspace. When the victim accesses the workspace, the script will execute in their browser enabling the attacker to potentially access… | |||
| CVE-2024-25646 | 0.00 | — | 0.00 | Apr 9, 2024 | Due to improper validation, SAP BusinessObject Business Intelligence Launch Pad allows an authenticated attacker to access operating system information using crafted document. On successful exploitation there could be a considerable impact on confidentiality of the application. | |||
| CVE-2023-42476 | 0.00 | — | 0.01 | Dec 12, 2023 | SAP Business Objects Web Intelligence - version 420, allows an authenticated attacker to inject JavaScript code into Web Intelligence documents which is then executed in the victim’s browser each time the vulnerable page is visited. Successful exploitation can lead to… | |||
| CVE-2023-42474 | 0.00 | — | 0.00 | Oct 10, 2023 | SAP BusinessObjects Web Intelligence - version 420, has a URL with parameter that could be vulnerable to XSS attack. The attacker could send a malicious link to a user that would possibly allow an attacker to retrieve the sensitive information. | |||
| CVE-2023-39440 | 0.00 | — | 0.00 | Aug 8, 2023 | In SAP BusinessObjects Business Intelligence - version 420, If a user logs in to a particular program, under certain specific conditions memory might not be cleared up properly, due to which attacker might be able to get access to user credentials. For a successful attack, the… | |||
| CVE-2023-37490 | 0.00 | — | 0.00 | Aug 8, 2023 | SAP Business Objects Installer - versions 420, 430, allows an authenticated attacker within the network to overwrite an executable file created in a temporary directory during the installation process. On replacing this executable with a malicious file, an attacker can… | |||
| CVE-2023-23856 | 0.00 | — | 0.00 | Feb 14, 2023 | In SAP BusinessObjects Business Intelligence (Web Intelligence user interface) - version 430, some calls return json with wrong content type in the header of the response. As a result, a custom application that calls directly the jsp of Web Intelligence DHTML may be vulnerable… | |||
| CVE-2018-2479 | 0.00 | — | 0.01 | Nov 13, 2018 | SAP BusinessObjects Business Intelligence Platform (BIWorkspace), versions 4.1 and 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. |
- risk 0.57cvss 8.8epss 0.01
In SAP BusinessObjects Business Intelligence, versions 4.0, 4.1 and 4.2, while viewing a Web Intelligence report from BI Launchpad, the user session details captured by an HTTP analysis tool could be reused in a HTML page while the user session is still valid.
- risk 0.57cvss 8.8epss 0.02
SAP BusinessObjects Business Intelligence Suite, versions 4.10 and 4.20, and SAP Crystal Reports (version for Visual Studio .NET, Version 2010) allows an attacker to inject code that can be executed by the application. An attacker could thereby control the behaviour of the…
- risk 0.49cvss 7.5epss 0.02
Admin tools in SAP BusinessObjects Business Intelligence, versions 4.1, 4.2, allow an unauthenticated user to read sensitive information (server name), hence leading to an information disclosure.
- risk 0.42cvss 6.5epss 0.01
SAP BusinessObjects Business Intelligence (Launchpad Web Intelligence), version 4.2, allows an attacker to execute crafted InfoObject queries, exposing the CMS InfoObjects database.
- risk 0.40cvss 6.1epss 0.01
SAP BusinessObjects Business Intelligence Suite, versions 4.10 and 4.20, does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
- CVE-2025-23192Jun 10, 2025risk 0.00cvss —epss 0.00
SAP BusinessObjects Business Intelligence (BI Workspace) allows an unauthenticated attacker to craft and store malicious script within a workspace. When the victim accesses the workspace, the script will execute in their browser enabling the attacker to potentially access…
- CVE-2024-25646Apr 9, 2024risk 0.00cvss —epss 0.00
Due to improper validation, SAP BusinessObject Business Intelligence Launch Pad allows an authenticated attacker to access operating system information using crafted document. On successful exploitation there could be a considerable impact on confidentiality of the application.
- CVE-2023-42476Dec 12, 2023risk 0.00cvss —epss 0.01
SAP Business Objects Web Intelligence - version 420, allows an authenticated attacker to inject JavaScript code into Web Intelligence documents which is then executed in the victim’s browser each time the vulnerable page is visited. Successful exploitation can lead to…
- CVE-2023-42474Oct 10, 2023risk 0.00cvss —epss 0.00
SAP BusinessObjects Web Intelligence - version 420, has a URL with parameter that could be vulnerable to XSS attack. The attacker could send a malicious link to a user that would possibly allow an attacker to retrieve the sensitive information.
- CVE-2023-39440Aug 8, 2023risk 0.00cvss —epss 0.00
In SAP BusinessObjects Business Intelligence - version 420, If a user logs in to a particular program, under certain specific conditions memory might not be cleared up properly, due to which attacker might be able to get access to user credentials. For a successful attack, the…
- CVE-2023-37490Aug 8, 2023risk 0.00cvss —epss 0.00
SAP Business Objects Installer - versions 420, 430, allows an authenticated attacker within the network to overwrite an executable file created in a temporary directory during the installation process. On replacing this executable with a malicious file, an attacker can…
- CVE-2023-23856Feb 14, 2023risk 0.00cvss —epss 0.00
In SAP BusinessObjects Business Intelligence (Web Intelligence user interface) - version 430, some calls return json with wrong content type in the header of the response. As a result, a custom application that calls directly the jsp of Web Intelligence DHTML may be vulnerable…
- CVE-2018-2479Nov 13, 2018risk 0.00cvss —epss 0.01
SAP BusinessObjects Business Intelligence Platform (BIWorkspace), versions 4.1 and 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.