Vulnerability Details : CVE-2014-8316
XML External Entity (XXE) vulnerability in polestar_xml.jsp in SAP BusinessObjects Explorer 14.0.5 build 882 allows remote attackers to read arbitrary files via the xmlParameter parameter in an explorationSpaceUpdate request.
Vulnerability category: XML external entity (XXE) injection
Products affected by CVE-2014-8316
- cpe:2.3:a:sap:businessobjects_explorer:14.0.5:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-8316
2.40%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 90 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-8316
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST |
References for CVE-2014-8316
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/96933
SAP BusinessObjects XML information disclosure CVE-2014-8316 Vulnerability Report
-
http://www.securityfocus.com/archive/1/533673/100/0/threaded
SecurityFocus
-
https://service.sap.com/sap/support/notes/1908531
Vendor Advisory
-
http://seclists.org/fulldisclosure/2014/Oct/50
Full Disclosure: SAP Security Note 1908531 - XXE in BusinessObjects ExplorerExploit
-
http://packetstormsecurity.com/files/128633/SAP-BusinessObjects-Explorer-14.0.5-XXE-Injection.html
SAP BusinessObjects Explorer 14.0.5 XXE Injection ≈ Packet StormExploit
-
http://www.csnc.ch/misc/files/advisories/CSNC-2013-018_SAP_BusinessObjects_Explorer_XXE.txt
404 Not FoundExploit
-
http://scn.sap.com/docs/DOC-55451
Acknowledgments to Security Researchers - Previous Months (2014 on wards) - Security and Identity Management - SCN WikiVendor Advisory
-
http://www.securityfocus.com/bid/70384
SAP BusinessObjects Explorer XML External Entity Injection Vulnerability
Jump to