Vulnerability CVE-2018-2447


Published: 2018-08-14

Description:
SAP BusinessObjects Business Intelligence (Launchpad Web Intelligence), version 4.2, allows an attacker to execute crafted InfoObject queries, exposing the CMS InfoObjects database.

Type:

CWE-89

(Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'))

Vendor: SAP
Product: Businessobjects business intelligence 
Version: 4.2;

CVSS2 => (AV:N/AC:L/Au:S/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4/10
2.9/10
8/10
Exploit range
Attack complexity
Authentication
Remote
Low
Single time
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None

 References:
http://www.securityfocus.com/bid/105075
https://launchpad.support.sap.com/#/notes/2644154
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=499352742

Related CVE
CVE-2019-0277
SAP HANA extended application services, version 1, advanced does not sufficiently validate an XML document accepted from an authenticated developer with privileges to the SAP space (XML External Entity vulnerability).
CVE-2019-0276
Banking services from SAP 9.0 (FSAPPL version 5) and SAP S/4HANA Financial Products Subledger (S4FPSL, version 1) performs an inadequate authorization check for an authenticated user, potentially resulting in escalation of privileges.
CVE-2019-0275
SAML 1.1 SSO Demo Application in SAP NetWeaver Java Application Server (J2EE-APPS), versions 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40 and 7.50, does not sufficiently encode user-controlled inputs, which results in cross-site scripting (XSS) vulnerability...
CVE-2019-0274
SAP Mobile Platform SDK allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service (i.e. denial of service). Fixed in versions 3.1 SP03 PL02, SDK 3.1 SP04, or later.
CVE-2019-0271
ABAP Server (used in NetWeaver and Suite/ERP) and ABAP Platform does not sufficiently validate an XML document accepted from an untrusted source, leading to an XML External Entity (XEE) vulnerability. Fixed in Kernel 7.21 or 7.22, that is ABAP Server...
CVE-2019-0270
ABAP Server of SAP NetWeaver and ABAP Platform fail to perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This has been corrected in the following versions: KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT,...
CVE-2019-0269
SAP BusinessObjects Business Intelligence Platform (BI Workspace), versions 4.10 and 4.20, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
CVE-2019-0268
SAP BusinessObjects Business Intelligence Platform (CMC Module), versions 4.10, 4.20 and 4.30, does not sufficiently validate an XML document accepted from an untrusted source.

Copyright 2019, cxsecurity.com

 

Back to Top