CVE-2010-3979

Name of the Vulnerable Software and Affected Versions SAP BusinessObjects Enterprise XI version 3.2

Description The issue allows remote attackers to enumerate account names by generating different error messages depending on whether the Login field corresponds to a valid username. This can be done via a login SOAPAction to the "dswsbobje/services/session" URI.

Recommendations For SAP BusinessObjects Enterprise XI version 3.2, consider restricting access to the dswsbobje/services/session URI to minimize the risk of exploitation. As a temporary workaround, limit the information disclosed in error messages to prevent account name enumeration.