CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

SAP » Businessobjects Business Intelligence » 4.2 * * * : Security Vulnerabilities

Cpe Name:cpe:2.3:a:sap:businessobjects_business_intelligence:4.2:*:*:*:*:*:*:*
Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2019-0348 319 2019-08-14 2020-08-24
4.0
None Remote Low ??? Partial None None
SAP BusinessObjects Business Intelligence Platform (Web Intelligence), versions 4.1, 4.2, can access database with unencrypted connection, even if the quality of protection should be encrypted.
2 CVE-2019-0346 319 2019-08-14 2020-08-24
4.0
None Remote Low ??? Partial None None
Unencrypted communication error in SAP Business Objects Business Intelligence Platform (Central Management Console), version 4.2, leads to disclosure of list of user names and roles imported from SAP NetWeaver BI systems, resulting in Information Disclosure.
3 CVE-2019-0335 79 XSS 2019-08-14 2019-08-26
4.3
None Remote Medium Not required None Partial None
Under certain conditions SAP BusinessObjects Business Intelligence Platform (Central Management Console), versions 4.1, 4.2, 4.3, allows an attacker to store a malicious payload within the description field of a user account. The payload is triggered when the mouse cursor is moved over the description field in the list, when generating the little yellow informational pop up box, resulting in Stored Cross Site Scripting Attack.
4 CVE-2019-0334 79 XSS 2019-08-14 2019-08-22
4.9
None Remote Medium ??? Partial Partial None
When creating a module in SAP BusinessObjects Business Intelligence Platform (BI Workspace), versions 4.1, 4.2, 4.3, it is possible to store a malicious script which when executed later could potentially allow a user to escalate privileges via session hijacking. The attacker could also access other sensitive information, leading to Stored Cross Site Scripting.
5 CVE-2019-0333 2019-08-14 2020-08-24
4.0
None Remote Low ??? Partial None None
In some situations, when a client cancels a query in SAP BusinessObjects Business Intelligence Platform (Web Intelligence), versions 4.2, 4.3, the attacker can then query and receive the whole data set instead of just what is part of their authorized security profile, resulting in Information Disclosure.
6 CVE-2019-0332 79 XSS 2019-08-14 2019-08-19
4.3
None Remote Medium Not required None Partial None
SAP BusinessObjects Business Intelligence Platform (Info View), versions 4.1, 4.2, 4.3, allows an attacker to give some payload for keyword in the search and it will be executed while search performs its action, resulting in Cross-Site Scripting (XSS) vulnerability.
7 CVE-2019-0331 2019-08-14 2020-08-24
5.0
None Remote Low Not required Partial None None
Under certain conditions, SAP BusinessObjects Business Intelligence Platform (BI Workspace), versions 4.1, 4.2, 4.3, allows an attacker to access sensitive data such as directory structure, leading to Information Disclosure.
8 CVE-2019-0326 79 XSS 2019-07-10 2019-07-17
4.3
None Remote Medium Not required None Partial None
SAP BusinessObjects Business Intelligence Platform (BI Workspace) (Enterprise), versions 4.1, 4.2, 4.3, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
9 CVE-2019-0268 91 2019-03-12 2019-03-13
5.5
None Remote Low ??? Partial None Partial
SAP BusinessObjects Business Intelligence Platform (CMC Module), versions 4.10, 4.20 and 4.30, does not sufficiently validate an XML document accepted from an untrusted source.
10 CVE-2018-2483 287 2018-11-13 2020-08-24
4.0
None Remote Low ??? Partial None None
HTTP Verb Tampering is possible in SAP BusinessObjects Business Intelligence Platform, versions 4.1 and 4.2, Central Management Console (CMC) by changing request method.
11 CVE-2018-2473 2018-11-13 2020-08-24
4.0
None Remote Low ??? None None Partial
SAP BusinessObjects Business Intelligence Platform Server, versions 4.1 and 4.2, when using Web Intelligence Richclient 3 tiers mode gateway allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service.
12 CVE-2018-2447 89 Sql 2018-08-14 2018-10-11
4.0
None Remote Low ??? Partial None None
SAP BusinessObjects Business Intelligence (Launchpad Web Intelligence), version 4.2, allows an attacker to execute crafted InfoObject queries, exposing the CMS InfoObjects database.
13 CVE-2018-2445 918 2018-08-14 2018-10-15
5.5
None Remote Low ??? Partial Partial None
AdminTools in SAP BusinessObjects Business Intelligence, versions 4.1, 4.2, allows an attacker to manipulate the vulnerable application to send crafted requests on behalf of the application, resulting in a Server-Side Request Forgery (SSRF) vulnerability.
14 CVE-2018-2442 352 2018-08-14 2018-10-11
6.8
None Remote Medium Not required Partial Partial Partial
In SAP BusinessObjects Business Intelligence, versions 4.0, 4.1 and 4.2, while viewing a Web Intelligence report from BI Launchpad, the user session details captured by an HTTP analysis tool could be reused in a HTML page while the user session is still valid.
15 CVE-2018-2432 79 XSS 2018-07-10 2020-08-24
4.9
None Remote Medium ??? Partial Partial None
SAP BusinessObjects Business Intelligence (BI Launchpad and Central Management Console) versions 4.10, 4.20 and 4.30 allow an attacker to include invalidated data in the HTTP response header sent to a Web user. Successful exploitation of this vulnerability may lead to advanced attacks, including: cross-site scripting and page hijacking.
Total number of vulnerabilities : 15   Page : 1 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.