Improper Session Management in SAP Business Objects, 4.0, from 4.10, from 4.20, 4.30, CMC/BI Launchpad/Fiorified BI Launchpad. In case of password change for a user, all other active sessions created using older password continues to be active.
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Businessobjects | Sap | 4.0 (including) | 4.0 (including) |
Businessobjects | Sap | 4.10 (including) | 4.10 (including) |
Businessobjects | Sap | 4.20 (including) | 4.20 (including) |
Businessobjects | Sap | 4.30 (including) | 4.30 (including) |
Such a scenario is commonly observed when: