BusinessObjects Business Intelligence Platform (Web Intelligence)
by SAP
CVEs (118)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2019-0375 | 0.00 | — | 0.01 | Oct 8, 2019 | SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), before versions 4.2 and 4.3, does not sufficiently encode user-controlled inputs and allows execution of scripts in the export dialog box of the report name resulting in reflected Cross-Site… | |||
| CVE-2019-0374 | 0.00 | — | 0.01 | Oct 8, 2019 | SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), before versions 4.2 and 4.3, does not sufficiently encode user-controlled inputs and allows execution of scripts in the chart title resulting in reflected Cross-Site Scripting | |||
| CVE-2019-0352 | 0.00 | — | 0.01 | Sep 10, 2019 | In SAP Business Objects Business Intelligence Platform, before versions 4.1, 4.2 and 4.3, some dynamic pages (like jsp) are cached, which leads to an attacker can see the sensitive information via cache and can open the dynamic pages even after logout. | |||
| CVE-2019-0348 | 0.00 | — | 0.01 | Aug 14, 2019 | SAP BusinessObjects Business Intelligence Platform (Web Intelligence), versions 4.1, 4.2, can access database with unencrypted connection, even if the quality of protection should be encrypted. | |||
| CVE-2019-0346 | 0.00 | — | 0.01 | Aug 14, 2019 | Unencrypted communication error in SAP Business Objects Business Intelligence Platform (Central Management Console), version 4.2, leads to disclosure of list of user names and roles imported from SAP NetWeaver BI systems, resulting in Information Disclosure. | |||
| CVE-2019-0334 | 0.00 | — | 0.01 | Aug 14, 2019 | When creating a module in SAP BusinessObjects Business Intelligence Platform (BI Workspace), versions 4.1, 4.2, 4.3, it is possible to store a malicious script which when executed later could potentially allow a user to escalate privileges via session hijacking. The attacker… | |||
| CVE-2019-0333 | 0.00 | — | 0.01 | Aug 14, 2019 | In some situations, when a client cancels a query in SAP BusinessObjects Business Intelligence Platform (Web Intelligence), versions 4.2, 4.3, the attacker can then query and receive the whole data set instead of just what is part of their authorized security profile, resulting… | |||
| CVE-2019-0335 | 0.00 | — | 0.01 | Aug 14, 2019 | Under certain conditions SAP BusinessObjects Business Intelligence Platform (Central Management Console), versions 4.1, 4.2, 4.3, allows an attacker to store a malicious payload within the description field of a user account. The payload is triggered when the mouse cursor is… | |||
| CVE-2019-0332 | 0.00 | — | 0.01 | Aug 14, 2019 | SAP BusinessObjects Business Intelligence Platform (Info View), versions 4.1, 4.2, 4.3, allows an attacker to give some payload for keyword in the search and it will be executed while search performs its action, resulting in Cross-Site Scripting (XSS) vulnerability. | |||
| CVE-2019-0331 | 0.00 | — | 0.01 | Aug 14, 2019 | Under certain conditions, SAP BusinessObjects Business Intelligence Platform (BI Workspace), versions 4.1, 4.2, 4.3, allows an attacker to access sensitive data such as directory structure, leading to Information Disclosure. | |||
| CVE-2019-0326 | 0.00 | — | 0.01 | Jul 10, 2019 | SAP BusinessObjects Business Intelligence Platform (BI Workspace) (Enterprise), versions 4.1, 4.2, 4.3, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | |||
| CVE-2019-0303 | 0.00 | — | 0.01 | Jun 14, 2019 | SAP BusinessObjects Business Intelligence Platform (Administration Console), versions 4.2, 4.3, module BILogon/appService.jsp is reflecting requested parameter errMsg into response content without sanitation. This could be used by an attacker to build a special url that execute… | |||
| CVE-2019-0289 | 0.00 | — | 0.01 | May 14, 2019 | Under certain conditions SAP BusinessObjects Business Intelligence platform (Analysis for OLAP), versions 4.2 and 4.3, allows an attacker to access information which would otherwise be restricted. | |||
| CVE-2019-0287 | 0.00 | — | 0.02 | May 14, 2019 | Under certain conditions SAP BusinessObjects Business Intelligence platform (Central Management Server), versions 4.2 and 4.3, allows an attacker to access information which would otherwise be restricted. | |||
| CVE-2019-0269 | 0.00 | — | 0.01 | Mar 12, 2019 | SAP BusinessObjects Business Intelligence Platform (BI Workspace), versions 4.10 and 4.20, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | |||
| CVE-2018-2479 | 0.00 | — | 0.01 | Nov 13, 2018 | SAP BusinessObjects Business Intelligence Platform (BIWorkspace), versions 4.1 and 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | |||
| CVE-2018-2473 | 0.00 | — | 0.02 | Nov 13, 2018 | SAP BusinessObjects Business Intelligence Platform Server, versions 4.1 and 4.2, when using Web Intelligence Richclient 3 tiers mode gateway allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service. | |||
| CVE-2018-2483 | 0.00 | — | 0.01 | Nov 13, 2018 | HTTP Verb Tampering is possible in SAP BusinessObjects Business Intelligence Platform, versions 4.1 and 4.2, Central Management Console (CMC) by changing request method. |
- CVE-2019-0375Oct 8, 2019risk 0.00cvss —epss 0.01
SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), before versions 4.2 and 4.3, does not sufficiently encode user-controlled inputs and allows execution of scripts in the export dialog box of the report name resulting in reflected Cross-Site…
- CVE-2019-0374Oct 8, 2019risk 0.00cvss —epss 0.01
SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), before versions 4.2 and 4.3, does not sufficiently encode user-controlled inputs and allows execution of scripts in the chart title resulting in reflected Cross-Site Scripting
- CVE-2019-0352Sep 10, 2019risk 0.00cvss —epss 0.01
In SAP Business Objects Business Intelligence Platform, before versions 4.1, 4.2 and 4.3, some dynamic pages (like jsp) are cached, which leads to an attacker can see the sensitive information via cache and can open the dynamic pages even after logout.
- CVE-2019-0348Aug 14, 2019risk 0.00cvss —epss 0.01
SAP BusinessObjects Business Intelligence Platform (Web Intelligence), versions 4.1, 4.2, can access database with unencrypted connection, even if the quality of protection should be encrypted.
- CVE-2019-0346Aug 14, 2019risk 0.00cvss —epss 0.01
Unencrypted communication error in SAP Business Objects Business Intelligence Platform (Central Management Console), version 4.2, leads to disclosure of list of user names and roles imported from SAP NetWeaver BI systems, resulting in Information Disclosure.
- CVE-2019-0334Aug 14, 2019risk 0.00cvss —epss 0.01
When creating a module in SAP BusinessObjects Business Intelligence Platform (BI Workspace), versions 4.1, 4.2, 4.3, it is possible to store a malicious script which when executed later could potentially allow a user to escalate privileges via session hijacking. The attacker…
- CVE-2019-0333Aug 14, 2019risk 0.00cvss —epss 0.01
In some situations, when a client cancels a query in SAP BusinessObjects Business Intelligence Platform (Web Intelligence), versions 4.2, 4.3, the attacker can then query and receive the whole data set instead of just what is part of their authorized security profile, resulting…
- CVE-2019-0335Aug 14, 2019risk 0.00cvss —epss 0.01
Under certain conditions SAP BusinessObjects Business Intelligence Platform (Central Management Console), versions 4.1, 4.2, 4.3, allows an attacker to store a malicious payload within the description field of a user account. The payload is triggered when the mouse cursor is…
- CVE-2019-0332Aug 14, 2019risk 0.00cvss —epss 0.01
SAP BusinessObjects Business Intelligence Platform (Info View), versions 4.1, 4.2, 4.3, allows an attacker to give some payload for keyword in the search and it will be executed while search performs its action, resulting in Cross-Site Scripting (XSS) vulnerability.
- CVE-2019-0331Aug 14, 2019risk 0.00cvss —epss 0.01
Under certain conditions, SAP BusinessObjects Business Intelligence Platform (BI Workspace), versions 4.1, 4.2, 4.3, allows an attacker to access sensitive data such as directory structure, leading to Information Disclosure.
- CVE-2019-0326Jul 10, 2019risk 0.00cvss —epss 0.01
SAP BusinessObjects Business Intelligence Platform (BI Workspace) (Enterprise), versions 4.1, 4.2, 4.3, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
- CVE-2019-0303Jun 14, 2019risk 0.00cvss —epss 0.01
SAP BusinessObjects Business Intelligence Platform (Administration Console), versions 4.2, 4.3, module BILogon/appService.jsp is reflecting requested parameter errMsg into response content without sanitation. This could be used by an attacker to build a special url that execute…
- CVE-2019-0289May 14, 2019risk 0.00cvss —epss 0.01
Under certain conditions SAP BusinessObjects Business Intelligence platform (Analysis for OLAP), versions 4.2 and 4.3, allows an attacker to access information which would otherwise be restricted.
- CVE-2019-0287May 14, 2019risk 0.00cvss —epss 0.02
Under certain conditions SAP BusinessObjects Business Intelligence platform (Central Management Server), versions 4.2 and 4.3, allows an attacker to access information which would otherwise be restricted.
- CVE-2019-0269Mar 12, 2019risk 0.00cvss —epss 0.01
SAP BusinessObjects Business Intelligence Platform (BI Workspace), versions 4.10 and 4.20, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
- CVE-2018-2479Nov 13, 2018risk 0.00cvss —epss 0.01
SAP BusinessObjects Business Intelligence Platform (BIWorkspace), versions 4.1 and 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
- CVE-2018-2473Nov 13, 2018risk 0.00cvss —epss 0.02
SAP BusinessObjects Business Intelligence Platform Server, versions 4.1 and 4.2, when using Web Intelligence Richclient 3 tiers mode gateway allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service.
- CVE-2018-2483Nov 13, 2018risk 0.00cvss —epss 0.01
HTTP Verb Tampering is possible in SAP BusinessObjects Business Intelligence Platform, versions 4.1 and 4.2, Central Management Console (CMC) by changing request method.
Page 6 of 6