All the vulnerabilites related to SAP_SE - SAP BusinessObjects Business Intelligence Platform
cve-2023-30741
Vulnerability from cvelistv5
Published
2023-05-09 01:34
Modified
2024-08-02 14:37
Severity ?
EPSS score ?
Summary
Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | SAP_SE | SAP BusinessObjects Business Intelligence Platform |
Version: 420 Version: 430 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T14:37:15.013Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://launchpad.support.sap.com/#/notes/3309935" }, { "tags": [ "x_transferred" ], "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "SAP BusinessObjects Business Intelligence Platform", "vendor": "SAP_SE", "versions": [ { "status": "affected", "version": "420" }, { "status": "affected", "version": "430" } ] } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\u003cp\u003eDue to insufficient input validation, SAP BusinessObjects Business Intelligence Platform - versions 420, 430, allows an unauthenticated attacker to redirect users to untrusted site using a malicious link. On successful exploitation, an attacker can view or modify information causing a limited impact on confidentiality and integrity of the application.\u003c/p\u003e" } ], "value": "Due to insufficient input validation, SAP BusinessObjects Business Intelligence Platform - versions 420, 430, allows an unauthenticated attacker to redirect users to untrusted site using a malicious link. On successful exploitation, an attacker can view or modify information causing a limited impact on confidentiality and integrity of the application.\n\n" } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)", "lang": "eng", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-05-09T01:34:43.315Z", "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap" }, "references": [ { "url": "https://launchpad.support.sap.com/#/notes/3309935" }, { "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html" } ], "source": { "discovery": "UNKNOWN" }, "title": "Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform", "x_generator": { "engine": "Vulnogram 0.1.0-dev" } } }, "cveMetadata": { "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "assignerShortName": "sap", "cveId": "CVE-2023-30741", "datePublished": "2023-05-09T01:34:43.315Z", "dateReserved": "2023-04-14T06:01:02.875Z", "dateUpdated": "2024-08-02T14:37:15.013Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-28166
Vulnerability from cvelistv5
Published
2024-08-13 04:05
Modified
2024-12-10 06:22
Severity ?
EPSS score ?
Summary
Multiple Unrestricted File Upload vulnerabilities in SAP BusinessObjects Business Intelligence Platform
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | SAP_SE | SAP BusinessObjects Business Intelligence Platform |
Version: ENTERPRISE 430 Version: 2025 |
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-28166", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-08-13T13:54:04.603269Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-08-13T13:54:21.863Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "SAP BusinessObjects Business Intelligence Platform", "vendor": "SAP_SE", "versions": [ { "status": "affected", "version": "ENTERPRISE 430" }, { "status": "affected", "version": "2025" } ] } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\u003ctable\u003e\n \u003ctbody\u003e\u003ctr\u003e\n \u003ctd\u003e\n \u003cp\u003eSAP BusinessObjects Business Intelligence\n Platform allows an authenticated attacker to upload malicious code over the\n network, that could be executed by the application. On successful\n exploitation, the attacker can cause a low impact on the Integrity of the\n application.\u003c/p\u003e\n \u003c/td\u003e\n \u003c/tr\u003e\n\u003c/tbody\u003e\u003c/table\u003e" } ], "value": "SAP BusinessObjects Business Intelligence\n Platform allows an authenticated attacker to upload malicious code over the\n network, that could be executed by the application. On successful\n exploitation, the attacker can cause a low impact on the Integrity of the\n application." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-434", "description": "CWE-434: Unrestricted Upload of File with Dangerous Type", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-12-10T06:22:53.694Z", "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap" }, "references": [ { "url": "https://me.sap.com/notes/3433545" }, { "url": "https://me.sap.com/notes/3515653" }, { "url": "https://url.sap/sapsecuritypatchday" } ], "source": { "discovery": "UNKNOWN" }, "title": "Multiple Unrestricted File Upload vulnerabilities in SAP BusinessObjects Business Intelligence Platform", "x_generator": { "engine": "Vulnogram 0.2.0" } } }, "cveMetadata": { "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "assignerShortName": "sap", "cveId": "CVE-2024-28166", "datePublished": "2024-08-13T04:05:24.442Z", "dateReserved": "2024-03-06T06:12:27.005Z", "dateUpdated": "2024-12-10T06:22:53.694Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-42375
Vulnerability from cvelistv5
Published
2024-08-13 04:03
Modified
2024-12-10 06:22
Severity ?
EPSS score ?
Summary
Multiple Unrestricted File Upload vulnerabilities in SAP BusinessObjects Business Intelligence Platform
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | SAP_SE | SAP BusinessObjects Business Intelligence Platform |
Version: ENTERPRISE 430 Version: 2025 |
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-42375", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-08-13T14:31:43.110787Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-08-13T14:32:00.577Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "SAP BusinessObjects Business Intelligence Platform", "vendor": "SAP_SE", "versions": [ { "status": "affected", "version": "ENTERPRISE 430" }, { "status": "affected", "version": "2025" } ] } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\u003ctable\u003e\n \u003ctbody\u003e\u003ctr\u003e\n \u003ctd\u003e\n \u003cp\u003eSAP BusinessObjects Business Intelligence\n Platform allows an authenticated attacker to upload malicious code over the\n network, that could be executed by the application. On successful exploitation,\n the attacker can cause a low impact on the Integrity of the application.\u003c/p\u003e\n \u003c/td\u003e\n \u003c/tr\u003e\n\u003c/tbody\u003e\u003c/table\u003e" } ], "value": "SAP BusinessObjects Business Intelligence\n Platform allows an authenticated attacker to upload malicious code over the\n network, that could be executed by the application. On successful exploitation,\n the attacker can cause a low impact on the Integrity of the application." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-434", "description": "CWE-434: Unrestricted Upload of File with Dangerous Type", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-12-10T06:22:12.114Z", "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap" }, "references": [ { "url": "https://me.sap.com/notes/3433545" }, { "url": "https://me.sap.com/notes/3515653" }, { "url": "https://url.sap/sapsecuritypatchday" } ], "source": { "discovery": "UNKNOWN" }, "title": "Multiple Unrestricted File Upload vulnerabilities in SAP BusinessObjects Business Intelligence Platform", "x_generator": { "engine": "Vulnogram 0.2.0" } } }, "cveMetadata": { "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "assignerShortName": "sap", "cveId": "CVE-2024-42375", "datePublished": "2024-08-13T04:03:26.192Z", "dateReserved": "2024-07-31T04:09:36.223Z", "dateUpdated": "2024-12-10T06:22:12.114Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-28165
Vulnerability from cvelistv5
Published
2024-05-14 03:51
Modified
2024-08-02 00:48
Severity ?
EPSS score ?
Summary
Cross site scripting vulnerability in SAP BusinessObjects Business Intelligence Platform
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | SAP_SE | SAP BusinessObjects Business Intelligence Platform |
Version: 430 Version: 440 |
|
{ "containers": { "adp": [ { "affected": [ { "cpes": [ "cpe:2.3:a:sap_se:sap_business_objects_business_intgelligence_platform:430:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "sap_business_objects_business_intgelligence_platform", "vendor": "sap_se", "versions": [ { "status": "affected", "version": "430" } ] }, { "cpes": [ "cpe:2.3:a:sap_se:sap_business_objects_business_intgelligence_platform:440:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "sap_business_objects_business_intgelligence_platform", "vendor": "sap_se", "versions": [ { "status": "affected", "version": "440" } ] } ], "metrics": [ { "other": { "content": { "id": "CVE-2024-28165", "options": [ { "Exploitation": "None" }, { "Automatable": "No" }, { "Technical Impact": "Total" } ], "role": "CISA Coordinator", "timestamp": "2024-05-17T04:00:36.563347Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T18:03:32.671Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:48:49.373Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://me.sap.com/notes/3431794" }, { "tags": [ "x_transferred" ], "url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "SAP BusinessObjects Business Intelligence Platform", "vendor": "SAP_SE", "versions": [ { "status": "affected", "version": "430" }, { "status": "affected", "version": "440" } ] } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eSAP Business Objects Business Intelligence Platform is vulnerable to stored XSS allowing an attacker to manipulate a parameter in the \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eOpendocument\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e URL which could lead to high impact on Confidentiality and Integrity of the application\u003c/span\u003e\n\n" } ], "value": "\nSAP Business Objects Business Intelligence Platform is vulnerable to stored XSS allowing an attacker to manipulate a parameter in the Opendocument URL which could lead to high impact on Confidentiality and Integrity of the application\n\n" } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-05-14T03:51:20.267Z", "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap" }, "references": [ { "url": "https://me.sap.com/notes/3431794" }, { "url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html" } ], "source": { "discovery": "UNKNOWN" }, "title": "Cross site scripting vulnerability in SAP BusinessObjects Business Intelligence Platform", "x_generator": { "engine": "Vulnogram 0.1.0-dev" } } }, "cveMetadata": { "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "assignerShortName": "sap", "cveId": "CVE-2024-28165", "datePublished": "2024-05-14T03:51:20.267Z", "dateReserved": "2024-03-06T06:12:27.005Z", "dateUpdated": "2024-08-02T00:48:49.373Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-41730
Vulnerability from cvelistv5
Published
2024-08-13 03:31
Modified
2024-08-16 04:01
Severity ?
EPSS score ?
Summary
Missing Authentication check in SAP BusinessObjects Business Intelligence Platform
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | SAP_SE | SAP BusinessObjects Business Intelligence Platform |
Version: ENTERPRISE 430 Version: 440 |
|
{ "containers": { "adp": [ { "affected": [ { "cpes": [ "cpe:2.3:a:sap_se:sap_business_objects_business_intgelligence_platform:440:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "sap_business_objects_business_intgelligence_platform", "vendor": "sap_se", "versions": [ { "status": "affected", "version": "440" } ] }, { "cpes": [ "cpe:2.3:a:sap_se:sap_business_objects_business_intgelligence_platform:430:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "sap_business_objects_business_intgelligence_platform", "vendor": "sap_se", "versions": [ { "status": "affected", "version": "430" } ] } ], "metrics": [ { "other": { "content": { "id": "CVE-2024-41730", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2024-08-15T00:00:00+00:00", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-08-16T04:01:44.403Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "SAP BusinessObjects Business Intelligence Platform", "vendor": "SAP_SE", "versions": [ { "status": "affected", "version": "ENTERPRISE 430" }, { "status": "affected", "version": "440" } ] } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "In SAP BusinessObjects Business Intelligence\nPlatform, if Single Signed On is enabled on Enterprise authentication, an\nunauthorized user can get a logon token using a REST endpoint. The attacker can\nfully compromise the system resulting in High impact on confidentiality,\nintegrity and availability." } ], "value": "In SAP BusinessObjects Business Intelligence\nPlatform, if Single Signed On is enabled on Enterprise authentication, an\nunauthorized user can get a logon token using a REST endpoint. The attacker can\nfully compromise the system resulting in High impact on confidentiality,\nintegrity and availability." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-862", "description": "CWE-862: Missing Authorization", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-08-13T03:31:37.327Z", "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap" }, "references": [ { "url": "https://me.sap.com/notes/3479478" }, { "url": "https://url.sap/sapsecuritypatchday" } ], "source": { "discovery": "UNKNOWN" }, "title": "Missing Authentication check in SAP BusinessObjects Business Intelligence Platform", "x_generator": { "engine": "Vulnogram 0.2.0" } } }, "cveMetadata": { "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "assignerShortName": "sap", "cveId": "CVE-2024-41730", "datePublished": "2024-08-13T03:31:37.327Z", "dateReserved": "2024-07-22T08:06:52.675Z", "dateUpdated": "2024-08-16T04:01:44.403Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-32732
Vulnerability from cvelistv5
Published
2024-12-10 00:11
Modified
2024-12-10 17:14
Severity ?
EPSS score ?
Summary
Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence platform
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | SAP_SE | SAP BusinessObjects Business Intelligence platform |
Version: ENTERPRISE 430 Version: 2025 |
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-32732", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-12-10T15:49:03.748508Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-12-10T17:14:19.976Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "SAP BusinessObjects Business Intelligence platform", "vendor": "SAP_SE", "versions": [ { "status": "affected", "version": "ENTERPRISE 430" }, { "status": "affected", "version": "2025" } ] } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\u003cp\u003eUnder certain conditions SAP BusinessObjects Business Intelligence platform allows an attacker to access information which would otherwise be restricted.This has low impact on Confidentiality with no impact on Integrity and Availability of the application.\u003c/p\u003e" } ], "value": "Under certain conditions SAP BusinessObjects Business Intelligence platform allows an attacker to access information which would otherwise be restricted.This has low impact on Confidentiality with no impact on Integrity and Availability of the application." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-497", "description": "CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere", "lang": "eng", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-12-10T06:01:40.103Z", "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap" }, "references": [ { "url": "https://me.sap.com/notes/3524933" }, { "url": "https://url.sap/sapsecuritypatchday" } ], "source": { "discovery": "UNKNOWN" }, "title": "Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence platform", "x_generator": { "engine": "Vulnogram 0.2.0" } } }, "cveMetadata": { "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "assignerShortName": "sap", "cveId": "CVE-2024-32732", "datePublished": "2024-12-10T00:11:33.815Z", "dateReserved": "2024-04-17T10:46:51.752Z", "dateUpdated": "2024-12-10T17:14:19.976Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-30740
Vulnerability from cvelistv5
Published
2023-05-09 01:34
Modified
2024-08-02 14:37
Severity ?
EPSS score ?
Summary
Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | SAP_SE | SAP BusinessObjects Business Intelligence Platform |
Version: 420 Version: 430 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T14:37:15.377Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://launchpad.support.sap.com/#/notes/3313484" }, { "tags": [ "x_transferred" ], "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "SAP BusinessObjects Business Intelligence Platform", "vendor": "SAP_SE", "versions": [ { "status": "affected", "version": "420" }, { "status": "affected", "version": "430" } ] } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\u003cp\u003eSAP BusinessObjects Business Intelligence Platform - versions 420, 430, allows an authenticated attacker to access sensitive information which is otherwise restricted. On successful exploitation, there could be a high impact on confidentiality, limited impact on integrity and availability of the application.\u003c/p\u003e" } ], "value": "SAP BusinessObjects Business Intelligence Platform - versions 420, 430, allows an authenticated attacker to access sensitive information which is otherwise restricted. On successful exploitation, there could be a high impact on confidentiality, limited impact on integrity and availability of the application.\n\n" } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "lang": "eng", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-05-09T01:34:18.312Z", "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap" }, "references": [ { "url": "https://launchpad.support.sap.com/#/notes/3313484" }, { "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html" } ], "source": { "discovery": "UNKNOWN" }, "title": "Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform", "x_generator": { "engine": "Vulnogram 0.1.0-dev" } } }, "cveMetadata": { "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "assignerShortName": "sap", "cveId": "CVE-2023-30740", "datePublished": "2023-05-09T01:34:18.312Z", "dateReserved": "2023-04-14T06:01:02.875Z", "dateUpdated": "2024-08-02T14:37:15.377Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-31406
Vulnerability from cvelistv5
Published
2023-05-09 01:37
Modified
2024-08-02 14:53
Severity ?
EPSS score ?
Summary
Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | SAP_SE | SAP BusinessObjects Business Intelligence Platform |
Version: 420 Version: 430 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T14:53:30.643Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://launchpad.support.sap.com/#/notes/3319400" }, { "tags": [ "x_transferred" ], "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "SAP BusinessObjects Business Intelligence Platform", "vendor": "SAP_SE", "versions": [ { "status": "affected", "version": "420" }, { "status": "affected", "version": "430" } ] } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\u003cp\u003eDue to insufficient input validation, SAP BusinessObjects Business Intelligence Platform - versions 420, 430, allows an unauthenticated attacker to redirect users to untrusted site using a malicious link. On successful exploitation, an attacker can view or modify information causing a limited impact on confidentiality and integrity of the application.\u003c/p\u003e" } ], "value": "Due to insufficient input validation, SAP BusinessObjects Business Intelligence Platform - versions 420, 430, allows an unauthenticated attacker to redirect users to untrusted site using a malicious link. On successful exploitation, an attacker can view or modify information causing a limited impact on confidentiality and integrity of the application.\n\n" } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)", "lang": "eng", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-05-09T01:37:32.237Z", "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap" }, "references": [ { "url": "https://launchpad.support.sap.com/#/notes/3319400" }, { "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html" } ], "source": { "discovery": "UNKNOWN" }, "title": "Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform", "x_generator": { "engine": "Vulnogram 0.1.0-dev" } } }, "cveMetadata": { "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "assignerShortName": "sap", "cveId": "CVE-2023-31406", "datePublished": "2023-05-09T01:37:32.237Z", "dateReserved": "2023-04-27T18:29:50.455Z", "dateUpdated": "2024-08-02T14:53:30.643Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-45281
Vulnerability from cvelistv5
Published
2024-09-10 04:32
Modified
2024-09-16 16:17
Severity ?
EPSS score ?
Summary
DLL hijacking vulnerability in SAP BusinessObjects Business Intelligence Platform
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | SAP_SE | SAP BusinessObjects Business Intelligence Platform |
Version: 430 |
|
{ "containers": { "adp": [ { "affected": [ { "cpes": [ "cpe:2.3:a:sap:business_objects_business_intelligence_platform:430:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "business_objects_business_intelligence_platform", "vendor": "sap", "versions": [ { "status": "affected", "version": "430" } ] } ], "metrics": [ { "other": { "content": { "id": "CVE-2024-45281", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2024-09-10T13:16:47.468065Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-16T16:17:11.239Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "SAP BusinessObjects Business Intelligence Platform", "vendor": "SAP_SE", "versions": [ { "status": "affected", "version": "430" } ] } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\u003cp\u003eSAP BusinessObjects Business Intelligence Platform allows a high privilege user to run client desktop applications even if some of the DLLs are not digitally signed or if the signature is broken. The attacker needs to have local access to the vulnerable system to perform DLL related tasks. This could result in a high impact on confidentiality and integrity of the application.\u003c/p\u003e" } ], "value": "SAP BusinessObjects Business Intelligence Platform allows a high privilege user to run client desktop applications even if some of the DLLs are not digitally signed or if the signature is broken. The attacker needs to have local access to the vulnerable system to perform DLL related tasks. This could result in a high impact on confidentiality and integrity of the application." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-426", "description": "CWE-426: Untrusted Search Path", "lang": "eng", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-09-10T04:32:43.378Z", "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap" }, "references": [ { "url": "https://me.sap.com/notes/3425287" }, { "url": "https://url.sap/sapsecuritypatchday" } ], "source": { "discovery": "UNKNOWN" }, "title": "DLL hijacking vulnerability in SAP BusinessObjects Business Intelligence Platform", "x_generator": { "engine": "Vulnogram 0.2.0" } } }, "cveMetadata": { "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "assignerShortName": "sap", "cveId": "CVE-2024-45281", "datePublished": "2024-09-10T04:32:43.378Z", "dateReserved": "2024-08-26T10:39:20.932Z", "dateUpdated": "2024-09-16T16:17:11.239Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-34684
Vulnerability from cvelistv5
Published
2024-06-11 02:20
Modified
2024-08-02 02:59
Severity ?
EPSS score ?
Summary
Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Scheduling)
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | SAP_SE | SAP BusinessObjects Business Intelligence Platform |
Version: ENTERPRISE 420 Version: 430 Version: 440 |
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-34684", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-06-11T15:54:46.187310Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-11T15:54:55.656Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T02:59:21.825Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://me.sap.com/notes/3441817" }, { "tags": [ "x_transferred" ], "url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "SAP BusinessObjects Business Intelligence Platform", "vendor": "SAP_SE", "versions": [ { "status": "affected", "version": "ENTERPRISE 420" }, { "status": "affected", "version": "430" }, { "status": "affected", "version": "440" } ] } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "On Unix, SAP BusinessObjects Business\nIntelligence Platform (Scheduling) allows an authenticated attacker with\nadministrator access on the local server to access the password of a local\naccount. As a result, an attacker can obtain non-administrative user\ncredentials, which will allow them to read or modify the remote server files.\n\n\n\n" } ], "value": "On Unix, SAP BusinessObjects Business\nIntelligence Platform (Scheduling) allows an authenticated attacker with\nadministrator access on the local server to access the password of a local\naccount. As a result, an attacker can obtain non-administrative user\ncredentials, which will allow them to read or modify the remote server files." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-06-11T02:20:31.354Z", "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap" }, "references": [ { "url": "https://me.sap.com/notes/3441817" }, { "url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html" } ], "source": { "discovery": "UNKNOWN" }, "title": "Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Scheduling)", "x_generator": { "engine": "Vulnogram 0.2.0" } } }, "cveMetadata": { "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "assignerShortName": "sap", "cveId": "CVE-2024-34684", "datePublished": "2024-06-11T02:20:31.354Z", "dateReserved": "2024-05-07T05:46:11.657Z", "dateUpdated": "2024-08-02T02:59:21.825Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-41731
Vulnerability from cvelistv5
Published
2024-08-13 04:07
Modified
2024-12-10 06:23
Severity ?
EPSS score ?
Summary
Multiple Unrestricted File Upload vulnerabilities in SAP BusinessObjects Business Intelligence Platform
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | SAP_SE | SAP BusinessObjects Business Intelligence Platform |
Version: ENTERPRISE 430 Version: 2025 |
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-41731", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-08-13T18:54:12.849151Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-08-13T18:54:27.517Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "SAP BusinessObjects Business Intelligence Platform", "vendor": "SAP_SE", "versions": [ { "status": "affected", "version": "ENTERPRISE 430" }, { "status": "affected", "version": "2025" } ] } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "SAP BusinessObjects Business Intelligence\nPlatform allows an authenticated attacker to upload malicious code over the\nnetwork, that could be executed by the application. On successful exploitation,\nthe attacker can cause a low impact on the Integrity of the application." } ], "value": "SAP BusinessObjects Business Intelligence\nPlatform allows an authenticated attacker to upload malicious code over the\nnetwork, that could be executed by the application. On successful exploitation,\nthe attacker can cause a low impact on the Integrity of the application." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-434", "description": "CWE-434: Unrestricted Upload of File with Dangerous Type", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-12-10T06:23:32.782Z", "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap" }, "references": [ { "url": "https://me.sap.com/notes/3433545" }, { "url": "https://me.sap.com/notes/3515653" }, { "url": "https://url.sap/sapsecuritypatchday" } ], "source": { "discovery": "UNKNOWN" }, "title": "Multiple Unrestricted File Upload vulnerabilities in SAP BusinessObjects Business Intelligence Platform", "x_generator": { "engine": "Vulnogram 0.2.0" } } }, "cveMetadata": { "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "assignerShortName": "sap", "cveId": "CVE-2024-41731", "datePublished": "2024-08-13T04:07:28.131Z", "dateReserved": "2024-07-22T08:06:52.675Z", "dateUpdated": "2024-12-10T06:23:32.782Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-0020
Vulnerability from cvelistv5
Published
2023-02-14 03:08
Modified
2024-08-02 04:54
Severity ?
EPSS score ?
Summary
SAP BusinessObjects Business Intelligence platform - versions 420, 430, allows an authenticated attacker to access sensitive information which is otherwise restricted. On successful exploitation, there could be a high impact on confidentiality and limited impact on integrity of the application.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | SAP_SE | SAP BusinessObjects Business Intelligence Platform |
Version: 420 Version: 430 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T04:54:32.627Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://launchpad.support.sap.com/#/notes/3263135" }, { "tags": [ "x_transferred" ], "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "SAP BusinessObjects Business Intelligence Platform", "vendor": "SAP_SE", "versions": [ { "status": "affected", "version": "420" }, { "status": "affected", "version": "430" } ] } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\u003cp\u003eSAP BusinessObjects Business Intelligence platform - versions 420, 430, allows an authenticated attacker to access sensitive information which is otherwise restricted. On successful exploitation, there could be a high impact on confidentiality and limited impact on integrity of the application.\u003c/p\u003e" } ], "value": "SAP BusinessObjects Business Intelligence platform - versions 420, 430, allows an authenticated attacker to access sensitive information which is otherwise restricted. On successful exploitation, there could be a high impact on confidentiality and limited impact on integrity of the application.\n\n" } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "lang": "eng", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-02-14T03:08:46.257Z", "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap" }, "references": [ { "url": "https://launchpad.support.sap.com/#/notes/3263135" }, { "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html" } ], "source": { "discovery": "UNKNOWN" }, "x_generator": { "engine": "Vulnogram 0.1.0-dev" } } }, "cveMetadata": { "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "assignerShortName": "sap", "cveId": "CVE-2023-0020", "datePublished": "2023-02-14T03:08:46.257Z", "dateReserved": "2022-12-20T03:49:44.135Z", "dateUpdated": "2024-08-02T04:54:32.627Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-36917
Vulnerability from cvelistv5
Published
2023-07-11 02:48
Modified
2024-10-23 16:22
Severity ?
EPSS score ?
Summary
Password Change rate limit bypass in SAP BusinessObjects Business Intelligence Platform
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | SAP_SE | SAP BusinessObjects Business Intelligence Platform |
Version: 4.20 Version: 430 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T17:01:10.039Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://me.sap.com/notes/3320702" }, { "tags": [ "x_transferred" ], "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2023-36917", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-10-23T16:21:14.979344Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-10-23T16:22:25.493Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "SAP BusinessObjects Business Intelligence Platform", "vendor": "SAP_SE", "versions": [ { "status": "affected", "version": "4.20" }, { "status": "affected", "version": "430" } ] } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\u003cp\u003eSAP BusinessObjects Business Intelligence Platform - version 420, 430, allows an unauthorized attacker who had hijacked a user session, to be able to bypass the victim\u2019s old password via brute force, due to unrestricted rate limit for password change functionality. Although the attack has no impact on integrity loss or system availability, this could lead to an attacker to completely takeover a victim\u2019s account.\u003c/p\u003e" } ], "value": "SAP BusinessObjects Business Intelligence Platform - version 420, 430, allows an unauthorized attacker who had hijacked a user session, to be able to bypass the victim\u2019s old password via brute force, due to unrestricted rate limit for password change functionality. Although the attack has no impact on integrity loss or system availability, this could lead to an attacker to completely takeover a victim\u2019s account.\n\n" } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-307", "description": "CWE-307: Improper Restriction of Excessive Authentication Attempts", "lang": "eng", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-07-11T02:48:10.677Z", "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap" }, "references": [ { "url": "https://me.sap.com/notes/3320702" }, { "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html" } ], "source": { "discovery": "UNKNOWN" }, "title": "Password Change rate limit bypass in SAP BusinessObjects Business Intelligence Platform", "x_generator": { "engine": "Vulnogram 0.1.0-dev" } } }, "cveMetadata": { "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "assignerShortName": "sap", "cveId": "CVE-2023-36917", "datePublished": "2023-07-11T02:48:10.677Z", "dateReserved": "2023-06-27T21:23:26.296Z", "dateUpdated": "2024-10-23T16:22:25.493Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }