XML External Entity (XXE) vulnerability in polestar_xml.jsp in SAP BusinessObjects Explorer 14.0.5 build 882 allows remote attackers to read arbitrary files via the xmlParameter parameter in an explorationSpaceUpdate request.
https://service.sap.com/sap/support/notes/1908531
https://exchange.xforce.ibmcloud.com/vulnerabilities/96933
http://www.securityfocus.com/bid/70384
http://www.securityfocus.com/archive/1/533673/100/0/threaded