CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2023-31407 – Cross-Site Scripting (XSS) vulnerability in SAP Business Planning and Consolidation
https://notcve.org/view.php?id=CVE-2023-31407
09 May 2023 — SAP Business Planning and Consolidation - versions 740, 750, allows an authorized attacker to upload a malicious file, resulting in Cross-Site Scripting vulnerability. After successful exploitation, an attacker can cause limited impact on confidentiality and integrity of the application. • https://launchpad.support.sap.com/#/notes/3312892 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2023-23851
https://notcve.org/view.php?id=CVE-2023-23851
14 Feb 2023 — SAP Business Planning and Consolidation - versions 200, 300, allows an attacker with business authorization to upload any files (including web pages) without the proper file format validation. If other users visit the uploaded malicious web page, the attacker may perform actions on behalf of the users without their consent impacting the confidentiality and integrity of the system. • https://launchpad.support.sap.com/#/notes/3275841 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.9EPSS: 0%CPEs: 2EXPL: 0CVE-2023-0016 – SQL Injection vulnerability in SAP Business Planning and Consolidation MS
https://notcve.org/view.php?id=CVE-2023-0016
10 Jan 2023 — SAP BPC MS 10.0 - version 810, allows an unauthorized attacker to execute crafted database queries. The exploitation of this issue could lead to SQL injection vulnerability and could allow an attacker to access, modify, and/or delete data from the backend database. • https://launchpad.support.sap.com/#/notes/3275391 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.5EPSS: 0%CPEs: 11EXPL: 0CVE-2022-41268
https://notcve.org/view.php?id=CVE-2022-41268
13 Dec 2022 — In some SAP standard roles in SAP Business Planning and Consolidation - versions - SAP_BW 750, 751, 752, 753, 754, 755, 756, 757, DWCORE 200, 300, CPMBPC 810, a transaction code reserved for the customer is used. By implementing such transaction code, a malicious user may execute unauthorized transaction functionality. Under specific circumstances, a successful attack could enable an adversary to escalate their privileges to be able to read, change or delete system data. En algunos roles estándar de SAP en ... • https://launchpad.support.sap.com/#/notes/3271091 • CWE-269: Improper Privilege Management •
CVSS: 5.4EPSS: 0%CPEs: 9EXPL: 0CVE-2020-6368
https://notcve.org/view.php?id=CVE-2020-6368
15 Oct 2020 — SAP Business Planning and Consolidation, versions - 750, 751, 752, 753, 754, 755, 810, 100, 200, can be abused by an attacker, allowing them to modify displayed application content without authorization, and to potentially obtain authentication information from other legitimate users, leading to Cross Site Scripting. SAP Business Planning and Consolidation, versiones - 750, 751, 752, 753, 754, 755, 810, 100, 200, pueden ser abusada por un atacante, permitiendo modificar el contenido de la aplicación mostrad... • https://launchpad.support.sap.com/#/notes/2960825 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-16349
https://notcve.org/view.php?id=CVE-2017-16349
02 Aug 2018 — An exploitable XML external entity vulnerability exists in the reporting functionality of SAP BPC. A specially crafted XML request can cause an XML external entity to be referenced, resulting in information disclosure and potential denial of service. An attacker can issue authenticated HTTP requests to trigger this vulnerability. Existe una vulnerabilidad explotable de XEE (XML External Entity) en la funcionalidad de reporte de SAP BPC. Una petición XML especialmente manipulada puede provocar que se referen... • https://www.talosintelligence.com/vulnerability_reports/SAP • CWE-611: Improper Restriction of XML External Entity Reference •