5 results (0.010 seconds)

CVSS: 5.4EPSS: 0%CPEs: 12EXPL: 0

SAP CRM WebClient UI - versions WEBCUIF 748, 800, 801, S4FND 102, 103, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. On successful exploitation an authenticated attacker can cause limited impact on confidentiality of the application. • https://launchpad.support.sap.com/#/notes/2788178 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.4EPSS: 0%CPEs: 8EXPL: 0

SAP Customer Relationship Management (Email Management), versions: S4CRM before 1.0 and 2.0, BBPCRM before 7.0, 7.01, 7.02, 7.12, 7.13 and 7.14, does not sufficiently encode user-controlled inputs within the mail client resulting in Cross-Site Scripting vulnerability. SAP Customer Relationship Management (Email Management), versiones: S4CRM anteriores a 1.0 y 2.0, BBPCRM anteriores a 7.0, 7.01, 7.02, 7.12, 7.13 y 7.14, no codifica suficientemente las entradas controladas por el usuario dentro del cliente de correo, resultando en una vulnerabilidad de tipo Cross-Site Scripting. • https://launchpad.support.sap.com/#/notes/2751806 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=528123050 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.6EPSS: 2%CPEs: 6EXPL: 2

SAP CRM, 7.01, 7.02,7.30, 7.31, 7.33, 7.54, allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing "traverse to parent directory" are passed through to the file APIs. SAP CRM 7.01, 7.02, 7.30, 7.31, 7.33 y 7.54 permite que un atacante explote la validación insuficiente de la información de ruta proporcionada por los usuarios, por lo que los caracteres que representan "salto al directorio padre" se pasan a las API de archivo. SAP Customer Relationship Management (CRM) contains a path traversal vulnerability that allows an attacker to exploit insufficient validation of path information provided by users. • https://www.exploit-db.com/exploits/44292 https://github.com/erpscanteam/CVE-2018-2380 http://www.securityfocus.com/bid/103001 https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018 https://launchpad.support.sap.com/#/notes/2547431 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0

Gwsync in SAP CRM 7.02 EHP 2 allows remote attackers to obtain sensitive information via unspecified vectors, related to an XML External Entity (XXE) issue. Gwsync en SAP CRM 7.02 EHP 2 permite a atacantes remotos obtener información sensible a través de vectores no especificados, relacionado con un problema de XML External Entity (XXE). • http://scn.sap.com/docs/DOC-8218 http://secunia.com/advisories/56944 https://erpscan.io/advisories/erpscan-14-003-sap-crm-gwsync-xxe https://exchange.xforce.ibmcloud.com/vulnerabilities/91098 https://service.sap.com/sap/support/notes/1917054 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0

The XML parser (crm_flex_data) in SAP Customer Relationship Management (CRM) 7.02 EHP 2 has unknown impact and attack vectors related to an XML External Entity (XXE) issue. El analizador XML (crm_flex_data) en SAP Customer Relationship Management (CRM) 7.02 EHP tiene impacto desconocido y vectores de ataque relacionados problemas con la entidades externas XML (XXE). • http://scn.sap.com/docs/DOC-8218 http://secunia.com/advisories/56064 http://www.securityfocus.com/bid/64265 http://www.securitytracker.com/id/1029488 https://erpscan.io/advisories/erpscan-13-025-sap-crm-crm_flex_data-xxe https://exchange.xforce.ibmcloud.com/vulnerabilities/89703 https://service.sap.com/sap/support/notes/1909665 •