The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of SAP BusinessObjects

vulnerability alert CVE-2014-8659 CVE-2014-8660 CVE-2014-8661

SAP: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of SAP.
Impacted products: Business Objects, Crystal Enterprise, Crystal Reports, SAP ERP, NetWeaver, ASE.
Severity: 2/4.
Consequences: unknown consequence, administrator access/rights, privileged access/rights, user access/rights, client access/rights, data reading, data creation/edition, data deletion, data flow, denial of service on server, denial of service on service, denial of service on client, disguisement.
Provenance: document.
Confidence: confirmed by the editor (5/5).
Creation date: 14/10/2014.
Identifiers: CVE-2014-8659, CVE-2014-8660, CVE-2014-8661, CVE-2014-8662, CVE-2014-8663, CVE-2014-8664, CVE-2014-8665, CVE-2014-8666, CVE-2014-8667, CVE-2014-8668, CVE-2014-8669, DOC-8218, VIGILANCE-VUL-15471.

Description of the vulnerability

Several vulnerabilities were announced in SAP.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability note CVE-2014-8311

SAP BusinessObjects: information disclosure via CORBA InfoStore

Synthesis of the vulnerability

An attacker can use CORBA InfoStore of SAP BusinessObjects, in order to obtain sensitive information.
Impacted products: Business Objects.
Severity: 2/4.
Consequences: data reading.
Provenance: intranet client.
Confidence: confirmed by the editor (5/5).
Creation date: 10/06/2014.
Revision date: 10/10/2014.
Identifiers: 1998990, CVE-2014-8311, DOC-8218, ONAPSIS-2014-031, VIGILANCE-VUL-14864.

Description of the vulnerability

The SAP BusinessObjects product offers a CORBA service.

However, an attacker can use InfoStore to obtain information.

An attacker can therefore use CORBA InfoStore of SAP BusinessObjects, in order to obtain sensitive information.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability bulletin CVE-2014-8310

SAP BusinessObjects: denial of service via CORBA OSCAFactory-Session

Synthesis of the vulnerability

An attacker can use CORBA OSCAFactory::Session of SAP BusinessObjects, in order to trigger a denial of service.
Impacted products: Business Objects.
Severity: 2/4.
Consequences: denial of service on server, denial of service on service.
Provenance: intranet client.
Confidence: confirmed by the editor (5/5).
Creation date: 10/06/2014.
Revision date: 10/10/2014.
Identifiers: 2001106, CVE-2014-8310, DOC-8218, ONAPSIS-2014-030, VIGILANCE-VUL-14863.

Description of the vulnerability

The SAP BusinessObjects product offers a CORBA service.

However, an attacker can call OSCAFactory::Session to stop CORBA.

An attacker can therefore use CORBA OSCAFactory::Session of SAP BusinessObjects, in order to trigger a denial of service.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability announce CVE-2014-8309

SAP BusinessObjects: information disclosure

Synthesis of the vulnerability

An attacker can use SAP BusinessObjects, in order to obtain sensitive information.
Impacted products: Business Objects.
Severity: 2/4.
Consequences: data reading.
Provenance: document.
Confidence: confirmed by the editor (5/5).
Creation date: 10/06/2014.
Revision date: 10/10/2014.
Identifiers: 2001109, CVE-2014-8309, DOC-8218, ONAPSIS-2014-029, VIGILANCE-VUL-14862.

Description of the vulnerability

The SAP BusinessObjects product offers a web service.

However, an attacker can measure the response time, in order to detect users.

An attacker can therefore use SAP BusinessObjects, in order to obtain sensitive information.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability CVE-2014-8308

SAP BusinessObjects: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of SAP BusinessObjects, in order to execute JavaScript code in the context of the web site.
Impacted products: Business Objects.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Confidence: confirmed by the editor (5/5).
Creation date: 10/06/2014.
Revision date: 10/10/2014.
Identifiers: 1941562, CVE-2014-8308, DOC-8218, ONAPSIS-2014-032, VIGILANCE-VUL-14865.

Description of the vulnerability

The SAP BusinessObjects product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of SAP BusinessObjects, in order to execute JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability note 13904

SAP BusinessObjects Explorer: Cross Site Flashing of com_businessobjects_polestar_bootstrap.swf

Synthesis of the vulnerability

An attacker can trigger a Cross Site Flashing in com_businessobjects_polestar_bootstrap.swf of SAP BusinessObjects Explorer, in order to execute JavaScript code in the context of the web site.
Impacted products: Business Objects.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Confidence: confirmed by the editor (5/5).
Creation date: 10/12/2013.
Revision date: 10/10/2014.
Identifiers: 1908647, DOC-8218, VIGILANCE-VUL-13904.

Description of the vulnerability

The SAP BusinessObjects Explorer product offers a web service.

However, it does not filter received data before transfering them to a Flash application.

An attacker can therefore trigger a Cross Site Flashing in com_businessobjects_polestar_bootstrap.swf of SAP BusinessObjects Explorer, in order to execute JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability bulletin CVE-2014-8315

SAP BusinessObjects Explorer: information disclosure via Port Scanning

Synthesis of the vulnerability

An attacker can use a Port Scanning on SAP BusinessObjects Explorer, in order to obtain sensitive information.
Impacted products: Business Objects.
Severity: 2/4.
Consequences: data reading.
Provenance: intranet client.
Confidence: confirmed by the editor (5/5).
Creation date: 10/12/2013.
Revision date: 10/10/2014.
Identifiers: 1908562, CVE-2014-8315, DOC-8218, VIGILANCE-VUL-13903.

Description of the vulnerability

The SAP BusinessObjects Explorer product offers a web service.

However, an attacker can measure the response time to a query, in order to detect open ports.

An attacker can therefore use a Port Scanning on SAP BusinessObjects Explorer, in order to obtain sensitive information.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability announce 14732

SAP: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of SAP, in order to execute JavaScript code in the context of the web site.
Impacted products: Business Objects, Crystal Enterprise, Crystal Reports, SAP ERP, NetWeaver, ASE.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Confidence: confirmed by the editor (5/5).
Creation date: 13/05/2014.
Revision date: 19/05/2014.
Identifiers: 1979438, DOC-8218, VIGILANCE-VUL-14732.

Description of the vulnerability

The SAP product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of SAP, in order to execute JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability announce CVE-2014-3134

SAP BusinessObjects InfoView: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of SAP BusinessObjects InfoView, in order to execute JavaScript code in the context of the web site.
Impacted products: Business Objects.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Confidence: confirmed by the editor (5/5).
Creation date: 14/01/2014.
Revision date: 29/04/2014.
Identifiers: 1931399, CVE-2014-3134, DOC-8218, ONAPSIS-2014-010, VIGILANCE-VUL-14072.

Description of the vulnerability

The SAP BusinessObjects InfoView product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of SAP BusinessObjects InfoView, in order to execute JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability CVE-2014-2751

SAP Print and Output: privilege escalation

Synthesis of the vulnerability

An attacker can access to a user of SAP Print and Output, in order to escalate his privileges or to obtain sensitive information.
Impacted products: Business Objects, Crystal Enterprise, Crystal Reports, SAP ERP, NetWeaver.
Severity: 2/4.
Consequences: privileged access/rights, data reading.
Provenance: user account.
Confidence: confirmed by the editor (5/5).
Creation date: 10/12/2013.
Revision date: 14/03/2014.
Identifiers: 1911523, CVE-2014-2751, DOC-8218, ONAPSIS-2014-004, VIGILANCE-VUL-13915.

Description of the vulnerability

The SAP Print and Output product manage the display of documents.

However, it uses an hardcoded username.

An attacker can therefore access to a user of SAP Print and Output, in order to escalate his privileges or to obtain sensitive information.
Complete Vigil@nce bulletin.... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about SAP BusinessObjects: