CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 0CVE-2024-45282 – HTTP Verb Tampering in SAP S/4 HANA(Manage Bank Statements)
https://notcve.org/view.php?id=CVE-2024-45282
Fields which are in 'read only' state in Bank Statement Draft in Manage Bank Statements application, could be modified by MERGE method. The property of an OData entity representing assumably immutable method is not protected against external modifications leading to integrity violations. Confidentiality and Availability are not impacted. • https://me.sap.com/notes/3251893 https://url.sap/sapsecuritypatchday • CWE-650: Trusting HTTP Permission Methods on the Server Side •
CVSS: 7.7EPSS: 0%CPEs: 3EXPL: 0CVE-2024-37179 – Insecure File Operations vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Intelligence)
https://notcve.org/view.php?id=CVE-2024-37179
SAP BusinessObjects Business Intelligence Platform allows an authenticated user to send a specially crafted request to the Web Intelligence Reporting Server to download any file from the machine hosting the service, causing high impact on confidentiality of the application. • https://me.sap.com/notes/3478615 https://url.sap/sapsecuritypatchday • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.4EPSS: 0%CPEs: 15EXPL: 0CVE-2024-45285 – Multiple vulnerabilities in SAP NetWeaver Application Server for ABAP and ABAP Platform
https://notcve.org/view.php?id=CVE-2024-45285
The RFC enabled function module allows a low privileged user to perform denial of service on any user and also change or delete favourite nodes. By sending a crafted packet in the function module targeting specific parameters, the specific targeted user will no longer have access to any functionality of SAP GUI. There is low impact on integrity and availability of the application. • https://me.sap.com/notes/3488039 https://url.sap/sapsecuritypatchday • CWE-862: Missing Authorization •
CVSS: 2.4EPSS: 0%CPEs: 10EXPL: 0CVE-2024-45284 – Missing authorization check in SAP Student Life Cycle Management (SLcM)
https://notcve.org/view.php?id=CVE-2024-45284
An authenticated attacker with high privilege can use functions of SLCM transactions to which access should be restricted. This may result in an escalation of privileges causing low impact on integrity of the application. • https://me.sap.com/notes/2256627 https://url.sap/sapsecuritypatchday • CWE-862: Missing Authorization •
CVSS: 6.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45283 – Information disclosure vulnerability in SAP NetWeaver AS for Java (Destination Service)
https://notcve.org/view.php?id=CVE-2024-45283
SAP NetWeaver AS for Java allows an authorized attacker to obtain sensitive information. The attacker could obtain the username and password when creating an RFC destination. After successful exploitation, an attacker can read the sensitive information but cannot modify or delete the data. • https://me.sap.com/notes/3477359 https://url.sap/sapsecuritypatchday • CWE-256: Plaintext Storage of a Password •