The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of SAP BusinessObjects

vulnerability note CVE-2014-9320

SAP BusinessObjects: privilege escalation via CORBA

Synthesis of the vulnerability

A remote authenticated attacker can use CORBA of SAP BusinessObjects, in order to escalate his privileges.
Impacted products: Business Objects.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: user account.
Creation date: 09/09/2014.
Revision date: 16/12/2014.
Identifiers: 2039905, CVE-2014-9320, DOC-8218, ONAPSIS-2014-034, VIGILANCE-VUL-15304.

Description of the vulnerability

The SAP BusinessObjects product uses CORBA.

However, an attacker can use CORBA to obtain the SI_PLATFORM_SEARCH_SERVER_LOGON_TOKEN token, and then SYSTEM privileges.

A remote authenticated attacker can therefore use CORBA of SAP BusinessObjects, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2014-8659 CVE-2014-8660 CVE-2014-8661

SAP: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of SAP.
Impacted products: Business Objects, Crystal Enterprise, Crystal Reports, SAP ERP, NetWeaver, ASE.
Severity: 2/4.
Consequences: unknown consequence, administrator access/rights, privileged access/rights, user access/rights, client access/rights, data reading, data creation/edition, data deletion, data flow, denial of service on server, denial of service on service, denial of service on client, disguisement.
Provenance: document.
Number of vulnerabilities in this bulletin: 11.
Creation date: 14/10/2014.
Identifiers: CVE-2014-8659, CVE-2014-8660, CVE-2014-8661, CVE-2014-8662, CVE-2014-8663, CVE-2014-8664, CVE-2014-8665, CVE-2014-8666, CVE-2014-8667, CVE-2014-8668, CVE-2014-8669, DOC-8218, VIGILANCE-VUL-15471.

Description of the vulnerability

Several vulnerabilities were announced in SAP.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2014-8311

SAP BusinessObjects: information disclosure via CORBA InfoStore

Synthesis of the vulnerability

An attacker can use CORBA InfoStore of SAP BusinessObjects, in order to obtain sensitive information.
Impacted products: Business Objects.
Severity: 2/4.
Consequences: data reading.
Provenance: intranet client.
Creation date: 10/06/2014.
Revision date: 10/10/2014.
Identifiers: 1998990, CVE-2014-8311, DOC-8218, ONAPSIS-2014-031, VIGILANCE-VUL-14864.

Description of the vulnerability

The SAP BusinessObjects product offers a CORBA service.

However, an attacker can use InfoStore to obtain information.

An attacker can therefore use CORBA InfoStore of SAP BusinessObjects, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2014-8310

SAP BusinessObjects: denial of service via CORBA OSCAFactory-Session

Synthesis of the vulnerability

An attacker can use CORBA OSCAFactory::Session of SAP BusinessObjects, in order to trigger a denial of service.
Impacted products: Business Objects.
Severity: 2/4.
Consequences: denial of service on server, denial of service on service.
Provenance: intranet client.
Creation date: 10/06/2014.
Revision date: 10/10/2014.
Identifiers: 2001106, CVE-2014-8310, DOC-8218, ONAPSIS-2014-030, VIGILANCE-VUL-14863.

Description of the vulnerability

The SAP BusinessObjects product offers a CORBA service.

However, an attacker can call OSCAFactory::Session to stop CORBA.

An attacker can therefore use CORBA OSCAFactory::Session of SAP BusinessObjects, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2014-8309

SAP BusinessObjects: information disclosure

Synthesis of the vulnerability

An attacker can use SAP BusinessObjects, in order to obtain sensitive information.
Impacted products: Business Objects.
Severity: 2/4.
Consequences: data reading.
Provenance: document.
Creation date: 10/06/2014.
Revision date: 10/10/2014.
Identifiers: 2001109, CVE-2014-8309, DOC-8218, ONAPSIS-2014-029, VIGILANCE-VUL-14862.

Description of the vulnerability

The SAP BusinessObjects product offers a web service.

However, an attacker can measure the response time, in order to detect users.

An attacker can therefore use SAP BusinessObjects, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2014-8308

SAP BusinessObjects: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of SAP BusinessObjects, in order to execute JavaScript code in the context of the web site.
Impacted products: Business Objects.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 10/06/2014.
Revision date: 10/10/2014.
Identifiers: 1941562, CVE-2014-8308, DOC-8218, ONAPSIS-2014-032, VIGILANCE-VUL-14865.

Description of the vulnerability

The SAP BusinessObjects product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of SAP BusinessObjects, in order to execute JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability note 13904

SAP BusinessObjects Explorer: Cross Site Flashing of com_businessobjects_polestar_bootstrap.swf

Synthesis of the vulnerability

An attacker can trigger a Cross Site Flashing in com_businessobjects_polestar_bootstrap.swf of SAP BusinessObjects Explorer, in order to execute JavaScript code in the context of the web site.
Impacted products: Business Objects.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 10/12/2013.
Revision date: 10/10/2014.
Identifiers: 1908647, DOC-8218, VIGILANCE-VUL-13904.

Description of the vulnerability

The SAP BusinessObjects Explorer product offers a web service.

However, it does not filter received data before transfering them to a Flash application.

An attacker can therefore trigger a Cross Site Flashing in com_businessobjects_polestar_bootstrap.swf of SAP BusinessObjects Explorer, in order to execute JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2014-8315

SAP BusinessObjects Explorer: information disclosure via Port Scanning

Synthesis of the vulnerability

An attacker can use a Port Scanning on SAP BusinessObjects Explorer, in order to obtain sensitive information.
Impacted products: Business Objects.
Severity: 2/4.
Consequences: data reading.
Provenance: intranet client.
Creation date: 10/12/2013.
Revision date: 10/10/2014.
Identifiers: 1908562, CVE-2014-8315, DOC-8218, VIGILANCE-VUL-13903.

Description of the vulnerability

The SAP BusinessObjects Explorer product offers a web service.

However, an attacker can measure the response time to a query, in order to detect open ports.

An attacker can therefore use a Port Scanning on SAP BusinessObjects Explorer, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce 14732

SAP: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of SAP, in order to execute JavaScript code in the context of the web site.
Impacted products: Business Objects, Crystal Enterprise, Crystal Reports, SAP ERP, NetWeaver, ASE.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 13/05/2014.
Revision date: 19/05/2014.
Identifiers: 1979438, DOC-8218, VIGILANCE-VUL-14732.

Description of the vulnerability

The SAP product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of SAP, in order to execute JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2014-3134

SAP BusinessObjects InfoView: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of SAP BusinessObjects InfoView, in order to execute JavaScript code in the context of the web site.
Impacted products: Business Objects.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 14/01/2014.
Revision date: 29/04/2014.
Identifiers: 1931399, CVE-2014-3134, DOC-8218, ONAPSIS-2014-010, VIGILANCE-VUL-14072.

Description of the vulnerability

The SAP BusinessObjects InfoView product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of SAP BusinessObjects InfoView, in order to execute JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about SAP BusinessObjects: