CVE-2022-35228 — Cross-Site Request Forgery in SE SAP Businessobjects Business Intelligence Platform

CWE-352 — Cross-Site Request Forgery3 documents3 sources

Severity

8.8HIGHNVD

EPSS

0.2%

top 60.04%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Businessobjects Business Intelligence Platform SAP Businessobjects Business Intelligence Platform

Timeline

PublishedJul 12

Latest updateJul 13

Description

SAP BusinessObjects CMC allows an unauthenticated attacker to retrieve token information over the network which would otherwise be restricted. This can be achieved only when a legitimate user accesses the application and a local compromise occurs, like sniffing or social engineering. On successful exploitation, the attacker can completely compromise the application.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶NVDsap/businessobjects_business_intelligence_platform420, 430+1

▶CVEListV5sap_se/sap_businessobjects_business_intelligence_platform420, 430+1

🔴Vulnerability Details

GHSA

GHSA-p36f-hqc8-f7jr: SAP BusinessObjects CMC allows an unauthenticated attacker to retrieve token information over the network which would otherwise be restricted↗2022-07-13

▶

CVEList

CVE-2022-35228: SAP BusinessObjects CMC allows an unauthenticated attacker to retrieve token information over the network which would otherwise be restricted↗2022-07-12

▶