Business Objects Business Intelligence Platform
CVE-2022-41263
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
Due to a missing authentication check, SAP Business Objects Business Intelligence Platform (Web Intelligence) - versions 420, 430, allows an authenticated non-administrator attacker to modify the data source information for a document that is otherwise restricted. On successful exploitation, the attacker can modify information causing a limited impact on the integrity of the application.
AnalysisAI
Due to a missing authentication check, SAP Business Objects Business Intelligence Platform (Web Intelligence) - versions 420, 430, allows an authenticated non-administrator attacker to modify the. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Cross-Site Request Forgery (CSRF) (CWE-352), which allows attackers to trick authenticated users into performing unintended actions. Due to a missing authentication check, SAP Business Objects Business Intelligence Platform (Web Intelligence) - versions 420, 430, allows an authenticated non-administrator attacker to modify the data source information for a document that is otherwise restricted. On successful exploitation, the attacker can modify information causing a limited impact on the integrity of the application. Affected products include: Sap Business Objects Business Intelligence Platform.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Implement anti-CSRF tokens, validate Origin/Referer headers, use SameSite cookie attribute.
In SAP BusinessObjects Business Intelligence Platform, if Single Signed On is enabled on Enterprise authentication, an u
SAP Business Object (Adaptive Job Server) - versions 420, 430, allows remote execution of arbitrary commands on Unix, wh
In some scenario, SAP Business Objects Business Intelligence Platform (CMC) - versions 420, 430, Program Object executio
SAP Business Objects Platform - versions 420, and 430, allows an attacker with normal BI user privileges to upload/repla
SAP Business Objects Business Intelligence Platform is vulnerable to stored XSS allowing an attacker to upload agnostic
Under certain conditions an authenticated attacker can get access to OS credentials. Rated high severity (CVSS 7.6), thi
Under certain conditions, BOE AdminTools/ BOE SDK allows an attacker to access information which would otherwise be rest
Under certain conditions SAP Business Objects Business Intelligence Platform - versions 420, 430, allows an authenticate
Under certain conditions, an attacker authenticated as a CMS administrator and with high privileges access to the Networ
In SAP BusinessObjects Business Intelligence (Web Intelligence user interface) - version 430, some calls return json wit
In SAP BusinessObjects Business Intelligence Platform (Web Intelligence user interface) - version 420, some calls return
Due to insufficient input validation, SAP Business Objects - version 420, allows an authenticated attacker to submit a m
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today