CVE-2024-25646

CWE-732 — Incorrect Permission Assignment CWE-200 — Information Exposure3 documents3 sources

Severity

6.5MEDIUM

EPSS

0.1%

top 73.41%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Businessobjects WEB Intelligence SAP Businessobjects WEB Intelligence

Timeline

PublishedApr 9

Description

Due to improper validation, SAP BusinessObject Business Intelligence Launch Pad allows an authenticated attacker to access operating system information using crafted document. On successful exploitation there could be a considerable impact on confidentiality of the application.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:NExploitability: 3.1 | Impact: 4.0

Affected Packages2 packages

▶NVDsap/businessobjects_web_intelligence420, 430, 440+2

▶CVEListV5sap_se/sap_businessobjects_web_intelligence420, 430, 440+2

Patches

Patch: support.sap.com ↗Patch: support.sap.com ↗

🔴Vulnerability Details

CVEList

Information Disclosure vulnerability in SAP BusinessObjects Web Intelligence↗2024-04-09

▶

GHSA

GHSA-r63f-6gcw-2c47: Due to improper validation, SAP BusinessObject Business Intelligence Launch Pad allows an authenticated attacker to access operating system informatio↗2024-04-09

▶