Raj Kumar Yadav

**Name of the Vulnerable Software and Affected Versions** BPC SmartVista 2 **Description** The issue is related to a CSRF problem. It affects the `/SVFE2/pages/admpages/roles/createrole.jsf` API endpoint. **Recommendations** For BPC SmartVista 2, consider implementing proper CSRF protection mechanisms to prevent exploitation. As a temporary workaround, restrict access to the `/SVFE2/pages/admpages/roles/createrole.jsf` endpoint until a patch is available.

**Name of the Vulnerable Software and Affected Versions** BPC SmartVista 2 **Description** The issue is related to improper access control in the SVFE module. A normal user can access the "SVFE2/pages/finadmin/currconvrate/currconvrate.jsf" functionality, which should only be accessible to an admin. **Recommendations** For BPC SmartVista 2, restrict access to the SVFE2/pages/finadmin/currconvrate/currconvrate.jsf functionality to only admin users as a temporary workaround until a proper fix is available.

**Name of the Vulnerable Software and Affected Versions** BPC SmartVista version 2 **Description** The issue concerns a session fixation problem via the `JSESSIONID` parameter. **Recommendations** For version 2, consider restricting access to the `JSESSIONID` parameter to minimize the risk of exploitation.