81 results (0.005 seconds)

CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 0

Fields which are in 'read only' state in Bank Statement Draft in Manage Bank Statements application, could be modified by MERGE method. The property of an OData entity representing assumably immutable method is not protected against external modifications leading to integrity violations. Confidentiality and Availability are not impacted. • https://me.sap.com/notes/3251893 https://url.sap/sapsecuritypatchday • CWE-650: Trusting HTTP Permission Methods on the Server Side •

CVSS: 7.7EPSS: 0%CPEs: 3EXPL: 0

SAP BusinessObjects Business Intelligence Platform allows an authenticated user to send a specially crafted request to the Web Intelligence Reporting Server to download any file from the machine hosting the service, causing high impact on confidentiality of the application. • https://me.sap.com/notes/3478615 https://url.sap/sapsecuritypatchday • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVSS: 5.4EPSS: 0%CPEs: 15EXPL: 0

The RFC enabled function module allows a low privileged user to perform denial of service on any user and also change or delete favourite nodes. By sending a crafted packet in the function module targeting specific parameters, the specific targeted user will no longer have access to any functionality of SAP GUI. There is low impact on integrity and availability of the application. • https://me.sap.com/notes/3488039 https://url.sap/sapsecuritypatchday • CWE-862: Missing Authorization •

CVSS: 2.4EPSS: 0%CPEs: 10EXPL: 0

An authenticated attacker with high privilege can use functions of SLCM transactions to which access should be restricted. This may result in an escalation of privileges causing low impact on integrity of the application. • https://me.sap.com/notes/2256627 https://url.sap/sapsecuritypatchday • CWE-862: Missing Authorization •

CVSS: 6.0EPSS: 0%CPEs: 1EXPL: 0

SAP NetWeaver AS for Java allows an authorized attacker to obtain sensitive information. The attacker could obtain the username and password when creating an RFC destination. After successful exploitation, an attacker can read the sensitive information but cannot modify or delete the data. • https://me.sap.com/notes/3477359 https://url.sap/sapsecuritypatchday • CWE-256: Plaintext Storage of a Password •