Vulnerabilities > SAP > Businessobjects Business Intelligence > High

DATE CVE VULNERABILITY TITLE RISK
2023-07-11 CVE-2023-36917 Improper Restriction of Excessive Authentication Attempts vulnerability in SAP Businessobjects Business Intelligence 420/430
SAP BusinessObjects Business Intelligence Platform - version 420, 430, allows an unauthorized attacker who had hijacked a user session, to be able to bypass the victim’s old password via brute force, due to unrestricted rate limit for password change functionality.
network
low complexity
sap CWE-307
7.5
2023-05-09 CVE-2023-30740 Information Exposure vulnerability in SAP Businessobjects Business Intelligence 420/430
SAP BusinessObjects Business Intelligence Platform - versions 420, 430, allows an authenticated attacker to access sensitive information which is otherwise restricted.
network
low complexity
sap CWE-200
7.6
2023-05-09 CVE-2023-28762 Unspecified vulnerability in SAP Businessobjects Business Intelligence 420/430
SAP BusinessObjects Business Intelligence Platform - versions 420, 430, allows an authenticated attacker with administrator privileges to get the login token of any logged-in BI user over the network without any user interaction.
network
low complexity
sap
7.2
2023-03-14 CVE-2023-27896 Server-Side Request Forgery (SSRF) vulnerability in SAP Businessobjects Business Intelligence 420/430
In SAP BusinessObjects Business Intelligence Platform - version 420, 430, an attacker can control a malicious BOE server, forcing the application server to connect to its own CMS, leading to a high impact on availability.
network
low complexity
sap CWE-918
7.5
2022-11-08 CVE-2022-41203 Deserialization of Untrusted Data vulnerability in SAP Businessobjects Business Intelligence 4.2/4.3
In some workflow of SAP BusinessObjects BI Platform (Central Management Console and BI LaunchPad), an authenticated attacker with low privileges can intercept a serialized object in the parameters and substitute with another malicious serialized object, which leads to deserialization of untrusted data vulnerability.
network
low complexity
sap CWE-502
8.8
2022-08-10 CVE-2022-32245 Cleartext Transmission of Sensitive Information vulnerability in SAP Businessobjects Business Intelligence 420/430
SAP BusinessObjects Business Intelligence Platform (Open Document) - versions 420, 430, allows an unauthenticated attacker to retrieve sensitive information plain text over the network.
network
low complexity
sap CWE-319
8.2
2022-05-11 CVE-2022-28214 Cleartext Storage of Sensitive Information vulnerability in SAP products
During an update of SAP BusinessObjects Enterprise, Central Management Server (CMS) - versions 420, 430, authentication credentials are being exposed in Sysmon event logs.
local
low complexity
sap CWE-312
7.8
2019-03-12 CVE-2019-0268 XML Injection (aka Blind XPath Injection) vulnerability in SAP Businessobjects Business Intelligence 4.1/4.2/4.3
SAP BusinessObjects Business Intelligence Platform (CMC Module), versions 4.10, 4.20 and 4.30, does not sufficiently validate an XML document accepted from an untrusted source.
network
low complexity
sap CWE-91
8.1
2018-08-14 CVE-2018-2446 Unspecified vulnerability in SAP Businessobjects Business Intelligence 4.1/4.2
Admin tools in SAP BusinessObjects Business Intelligence, versions 4.1, 4.2, allow an unauthenticated user to read sensitive information (server name), hence leading to an information disclosure.
network
low complexity
sap
7.5
2018-08-14 CVE-2018-2442 Cross-Site Request Forgery (CSRF) vulnerability in SAP products
In SAP BusinessObjects Business Intelligence, versions 4.0, 4.1 and 4.2, while viewing a Web Intelligence report from BI Launchpad, the user session details captured by an HTTP analysis tool could be reused in a HTML page while the user session is still valid.
network
low complexity
sap CWE-352
8.8