| The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them. |
|
 |
|
|
Computer vulnerabilities of SAP BusinessObjects
SAP: Cross Site Scripting
Synthesis of the vulnerability
An attacker can trigger a Cross Site Scripting of SAP, in order to execute JavaScript code in the context of the web site.
Impacted products: Business Objects, Crystal Enterprise, Crystal Reports, SAP ERP, NetWeaver, ASE.
Severity: 2/4.
Creation date: 13/05/2014.
Revision date: 19/05/2014.
Identifiers: 1979438, DOC-8218, VIGILANCE-VUL-14732.
Description of the vulnerability
The SAP product offers a web service.
However, it does not filter received data before inserting them in generated HTML documents.
An attacker can therefore trigger a Cross Site Scripting of SAP, in order to execute JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial) |
SAP BusinessObjects InfoView: Cross Site Scripting
Synthesis of the vulnerability
An attacker can trigger a Cross Site Scripting of SAP BusinessObjects InfoView, in order to execute JavaScript code in the context of the web site.
Impacted products: Business Objects.
Severity: 2/4.
Creation date: 14/01/2014.
Revision date: 29/04/2014.
Identifiers: 1931399, CVE-2014-3134, DOC-8218, ONAPSIS-2014-010, VIGILANCE-VUL-14072.
Description of the vulnerability
The SAP BusinessObjects InfoView product offers a web service.
However, it does not filter received data before inserting them in generated HTML documents.
An attacker can therefore trigger a Cross Site Scripting of SAP BusinessObjects InfoView, in order to execute JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial) |
SAP Print and Output: privilege escalation
Synthesis of the vulnerability
An attacker can access to a user of SAP Print and Output, in order to escalate his privileges or to obtain sensitive information.
Impacted products: Business Objects, Crystal Enterprise, Crystal Reports, SAP ERP, NetWeaver.
Severity: 2/4.
Creation date: 10/12/2013.
Revision date: 14/03/2014.
Identifiers: 1911523, CVE-2014-2751, DOC-8218, ONAPSIS-2014-004, VIGILANCE-VUL-13915.
Description of the vulnerability
The SAP Print and Output product manage the display of documents.
However, it uses an hardcoded username.
An attacker can therefore access to a user of SAP Print and Output, in order to escalate his privileges or to obtain sensitive information.
Complete Vigil@nce bulletin.... (Free trial) |
SAP BOPF for ABAP: privilege escalation
Synthesis of the vulnerability
An attacker can access to a user of SAP BOPF for ABAP, in order to escalate his privileges or to obtain sensitive information.
Impacted products: Business Objects.
Severity: 2/4.
Creation date: 10/12/2013.
Revision date: 14/03/2014.
Identifiers: 1913554, CVE-2014-2752, DOC-8218, ONAPSIS-2014-003, VIGILANCE-VUL-13916.
Description of the vulnerability
The SAP BOPF for ABAP product offers services for SAP products.
However, it uses an hardcoded username.
An attacker can therefore access to a user of SAP BOPF for ABAP, in order to escalate his privileges or to obtain sensitive information.
Complete Vigil@nce bulletin.... (Free trial) |
SAP: multiple vulnerabilities for February 2014
Synthesis of the vulnerability
An attacker can use several vulnerabilities of SAP.
Impacted products: Business Objects, Crystal Enterprise, Crystal Reports, SAP ERP, NetWeaver, ASE.
Severity: 2/4.
Creation date: 14/02/2014.
Identifiers: 1716640, 1769611, 1771706, 1777988, 1781171, 1833327, 1911319, 1913388, 1915908, 1942332, VIGILANCE-VUL-14262.
Description of the vulnerability
Several vulnerabilities were publicly announced this month by SAP.
An attacker can traverse directories in HFILTAX0_FORMS0_ALV, in order to read a file outside the root path. [severity:2/4; 1913388]
An attacker can traverse directories in HFISTWC0_FORMS, in order to read a file outside the root path. [severity:2/4; 1777988]
An attacker can traverse directories in HFIUTMS0, in order to read a file outside the root path. [severity:2/4; 1771706]
An attacker can traverse directories in HFISTBC0_SUBR, in order to read a file outside the root path. [severity:2/4; 1769611]
An attacker can trigger a Cross Site Scripting in Business Planning and Consolidation, in order to execute JavaScript code in the context of the web site. [severity:2/4; 1942332]
An attacker can bypass access restrictions of ABAP Reports, in order to read or alter data. [severity:2/4; 1911319]
An attacker can bypass access restrictions of ABAP Reports, in order to read or alter data. [severity:2/4; 1716640]
An attacker can bypass access restrictions of ABAP Reports, in order to read or alter data. [severity:2/4; 1915908]
An attacker can invite the victim to click in WebDynpro Java, in order to perform operations. [severity:1/4; 1781171]
An attacker can use a SQL injection in LSZRSF03, in order to read or alter data. [severity:2/4; 1833327]
Other vulnerabilities may have been announced this month, but they are private. SAP has to be contacted to obtain the full list.
Complete Vigil@nce bulletin.... (Free trial) |
Our database contains other pages. You can request a free trial to read them.
Display information about SAP BusinessObjects:
|