BusinessObjects Business Intelligence Platform (Web Intelligence)
by SAP
CVEs (118)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-2473 | Med | 0.42 | 6.5 | 0.02 | Nov 13, 2018 | SAP BusinessObjects Business Intelligence Platform Server, versions 4.1 and 4.2, when using Web Intelligence Richclient 3 tiers mode gateway allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service. | ||
| CVE-2023-30740 | Med | 0.41 | 6.3 | 0.00 | May 9, 2023 | SAP BusinessObjects Business Intelligence Platform - versions 420, 430, allows an authenticated attacker to access sensitive information which is otherwise restricted. On successful exploitation, there could be a high impact on confidentiality, limited impact on integrity and… | ||
| CVE-2023-31406 | Med | 0.40 | 6.1 | 0.00 | May 9, 2023 | Due to insufficient input validation, SAP BusinessObjects Business Intelligence Platform - versions 420, 430, allows an unauthenticated attacker to redirect users to untrusted site using a malicious link. On successful exploitation, an attacker can view or modify information… | ||
| CVE-2023-30741 | Med | 0.40 | 6.1 | 0.00 | May 9, 2023 | Due to insufficient input validation, SAP BusinessObjects Business Intelligence Platform - versions 420, 430, allows an unauthenticated attacker to redirect users to untrusted site using a malicious link. On successful exploitation, an attacker can view or modify information… | ||
| CVE-2022-28216 | Med | 0.40 | 6.1 | 0.01 | Apr 12, 2022 | SAP BusinessObjects Business Intelligence Platform (BI Workspace) - version 420, is susceptible to a Cross-Site Scripting attack by an unauthenticated attacker due to improper sanitization of the user inputs on the network. On successful exploitation, an attacker can access… | ||
| CVE-2021-33697 | Med | 0.40 | 6.1 | 0.01 | Sep 15, 2021 | Under certain conditions, SAP BusinessObjects Business Intelligence Platform (SAPUI5), versions - 420, 430, can allow an unauthenticated attacker to redirect users to a malicious site due to Reverse Tabnabbing vulnerabilities. | ||
| CVE-2020-6281 | Med | 0.40 | 6.1 | 0.01 | Jul 14, 2020 | SAP Business Objects Business Intelligence Platform (BI Launchpad), version 4.2, does not sufficiently encode user-controlled inputs, resulting reflected in Cross-Site Scripting. | ||
| CVE-2020-6276 | Med | 0.40 | 6.1 | 0.01 | Jul 14, 2020 | SAP Business Objects Business Intelligence Platform (bipodata), version 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting vulnerability. | ||
| CVE-2020-6223 | Med | 0.40 | 6.1 | 0.01 | Apr 14, 2020 | The open document of SAP Business Objects Business Intelligence Platform, versions 4.1, 4.2, allows an attacker to modify certain error pages to include malicious content. This can misdirect a user who is tricked into accessing these error pages rendered by the application,… | ||
| CVE-2020-6216 | Med | 0.40 | 6.1 | 0.01 | Apr 14, 2020 | SAP Business Objects Business Intelligence Platform (BI Launchpad), version 4.2, does not sufficiently encode user-controlled inputs, resulting in reflected Cross-Site Scripting (XSS) vulnerability. | ||
| CVE-2019-0335 | Med | 0.40 | 6.1 | 0.01 | Aug 14, 2019 | Under certain conditions SAP BusinessObjects Business Intelligence Platform (Central Management Console), versions 4.1, 4.2, 4.3, allows an attacker to store a malicious payload within the description field of a user account. The payload is triggered when the mouse cursor is… | ||
| CVE-2019-0332 | Med | 0.40 | 6.1 | 0.01 | Aug 14, 2019 | SAP BusinessObjects Business Intelligence Platform (Info View), versions 4.1, 4.2, 4.3, allows an attacker to give some payload for keyword in the search and it will be executed while search performs its action, resulting in Cross-Site Scripting (XSS) vulnerability. | ||
| CVE-2019-0326 | Med | 0.40 | 6.1 | 0.01 | Jul 10, 2019 | SAP BusinessObjects Business Intelligence Platform (BI Workspace) (Enterprise), versions 4.1, 4.2, 4.3, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | ||
| CVE-2019-0303 | Med | 0.40 | 6.1 | 0.01 | Jun 14, 2019 | SAP BusinessObjects Business Intelligence Platform (Administration Console), versions 4.2, 4.3, module BILogon/appService.jsp is reflecting requested parameter errMsg into response content without sanitation. This could be used by an attacker to build a special url that execute… | ||
| CVE-2018-2479 | Med | 0.40 | 6.1 | 0.01 | Nov 13, 2018 | SAP BusinessObjects Business Intelligence Platform (BIWorkspace), versions 4.1 and 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | ||
| CVE-2018-2472 | Med | 0.40 | 6.1 | 0.01 | Oct 9, 2018 | SAP BusinessObjects Business Intelligence Platform 4.10 and 4.20 (Web Intelligence DHTML client) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | ||
| CVE-2022-31596 | Med | 0.39 | 6.0 | 0.01 | Dec 12, 2022 | Under certain conditions, an attacker authenticated as a CMS administrator and with high privileges access to the Network in SAP BusinessObjects Business Intelligence Platform (Monitoring DB) - version 430, can access BOE Monitoring database to retrieve and modify (non-personal)… | ||
| CVE-2022-35169 | Med | 0.39 | 6.0 | 0.01 | Jul 12, 2022 | SAP BusinessObjects Business Intelligence Platform (LCM) - versions 420, 430, allows an attacker with an admin privilege to read and decrypt LCMBIAR file's password under certain conditions, enabling the attacker to modify the password or import the file into another system… | ||
| CVE-2020-6308 | Med | 0.39 | 5.3 | 0.62 | Oct 20, 2020 | SAP BusinessObjects Business Intelligence Platform (Web Services) versions - 410, 420, 430, allows an unauthenticated attacker to inject arbitrary values as CMS parameters to perform lookups on the internal network which is otherwise not accessible externally. On successful… | ||
| CVE-2023-36917 | Med | 0.38 | 5.9 | 0.00 | Jul 11, 2023 | SAP BusinessObjects Business Intelligence Platform - version 420, 430, allows an unauthorized attacker who had hijacked a user session, to be able to bypass the victim’s old password via brute force, due to unrestricted rate limit for password change functionality. Although… |
- risk 0.42cvss 6.5epss 0.02
SAP BusinessObjects Business Intelligence Platform Server, versions 4.1 and 4.2, when using Web Intelligence Richclient 3 tiers mode gateway allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service.
- risk 0.41cvss 6.3epss 0.00
SAP BusinessObjects Business Intelligence Platform - versions 420, 430, allows an authenticated attacker to access sensitive information which is otherwise restricted. On successful exploitation, there could be a high impact on confidentiality, limited impact on integrity and…
- risk 0.40cvss 6.1epss 0.00
Due to insufficient input validation, SAP BusinessObjects Business Intelligence Platform - versions 420, 430, allows an unauthenticated attacker to redirect users to untrusted site using a malicious link. On successful exploitation, an attacker can view or modify information…
- risk 0.40cvss 6.1epss 0.00
Due to insufficient input validation, SAP BusinessObjects Business Intelligence Platform - versions 420, 430, allows an unauthenticated attacker to redirect users to untrusted site using a malicious link. On successful exploitation, an attacker can view or modify information…
- risk 0.40cvss 6.1epss 0.01
SAP BusinessObjects Business Intelligence Platform (BI Workspace) - version 420, is susceptible to a Cross-Site Scripting attack by an unauthenticated attacker due to improper sanitization of the user inputs on the network. On successful exploitation, an attacker can access…
- risk 0.40cvss 6.1epss 0.01
Under certain conditions, SAP BusinessObjects Business Intelligence Platform (SAPUI5), versions - 420, 430, can allow an unauthenticated attacker to redirect users to a malicious site due to Reverse Tabnabbing vulnerabilities.
- risk 0.40cvss 6.1epss 0.01
SAP Business Objects Business Intelligence Platform (BI Launchpad), version 4.2, does not sufficiently encode user-controlled inputs, resulting reflected in Cross-Site Scripting.
- risk 0.40cvss 6.1epss 0.01
SAP Business Objects Business Intelligence Platform (bipodata), version 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting vulnerability.
- risk 0.40cvss 6.1epss 0.01
The open document of SAP Business Objects Business Intelligence Platform, versions 4.1, 4.2, allows an attacker to modify certain error pages to include malicious content. This can misdirect a user who is tricked into accessing these error pages rendered by the application,…
- risk 0.40cvss 6.1epss 0.01
SAP Business Objects Business Intelligence Platform (BI Launchpad), version 4.2, does not sufficiently encode user-controlled inputs, resulting in reflected Cross-Site Scripting (XSS) vulnerability.
- risk 0.40cvss 6.1epss 0.01
Under certain conditions SAP BusinessObjects Business Intelligence Platform (Central Management Console), versions 4.1, 4.2, 4.3, allows an attacker to store a malicious payload within the description field of a user account. The payload is triggered when the mouse cursor is…
- risk 0.40cvss 6.1epss 0.01
SAP BusinessObjects Business Intelligence Platform (Info View), versions 4.1, 4.2, 4.3, allows an attacker to give some payload for keyword in the search and it will be executed while search performs its action, resulting in Cross-Site Scripting (XSS) vulnerability.
- risk 0.40cvss 6.1epss 0.01
SAP BusinessObjects Business Intelligence Platform (BI Workspace) (Enterprise), versions 4.1, 4.2, 4.3, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
- risk 0.40cvss 6.1epss 0.01
SAP BusinessObjects Business Intelligence Platform (Administration Console), versions 4.2, 4.3, module BILogon/appService.jsp is reflecting requested parameter errMsg into response content without sanitation. This could be used by an attacker to build a special url that execute…
- risk 0.40cvss 6.1epss 0.01
SAP BusinessObjects Business Intelligence Platform (BIWorkspace), versions 4.1 and 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
- risk 0.40cvss 6.1epss 0.01
SAP BusinessObjects Business Intelligence Platform 4.10 and 4.20 (Web Intelligence DHTML client) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
- risk 0.39cvss 6.0epss 0.01
Under certain conditions, an attacker authenticated as a CMS administrator and with high privileges access to the Network in SAP BusinessObjects Business Intelligence Platform (Monitoring DB) - version 430, can access BOE Monitoring database to retrieve and modify (non-personal)…
- risk 0.39cvss 6.0epss 0.01
SAP BusinessObjects Business Intelligence Platform (LCM) - versions 420, 430, allows an attacker with an admin privilege to read and decrypt LCMBIAR file's password under certain conditions, enabling the attacker to modify the password or import the file into another system…
- risk 0.39cvss 5.3epss 0.62
SAP BusinessObjects Business Intelligence Platform (Web Services) versions - 410, 420, 430, allows an unauthenticated attacker to inject arbitrary values as CMS parameters to perform lookups on the internal network which is otherwise not accessible externally. On successful…
- risk 0.38cvss 5.9epss 0.00
SAP BusinessObjects Business Intelligence Platform - version 420, 430, allows an unauthorized attacker who had hijacked a user session, to be able to bypass the victim’s old password via brute force, due to unrestricted rate limit for password change functionality. Although…
Page 3 of 6