CVSS: 5.5EPSS: 0%CPEs: 15EXPL: 0CVE-2023-29188 – Cross-Site Scripting (XSS) vulnerability in SAP CRM WebClient UI
https://notcve.org/view.php?id=CVE-2023-29188
09 May 2023 — SAP CRM WebClient UI - versions SAPSCORE 129, S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, S4FND 107, WEBCUIF 701, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800, WEBCUIF 801, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. After successful exploitation, an attacker with user level access can read and modify some sensitive information but cannot delete the data. • https://i7p.wdf.sap.corp/sap/support/notes/3315979 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 12EXPL: 0CVE-2023-24525
https://notcve.org/view.php?id=CVE-2023-24525
14 Feb 2023 — SAP CRM WebClient UI - versions WEBCUIF 748, 800, 801, S4FND 102, 103, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. On successful exploitation an authenticated attacker can cause limited impact on confidentiality of the application. SAP CRM WebClient UI - versions WEBCUIF 748, 800, 801, S4FND 102, 103, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. On successful exploitation an authent... • https://launchpad.support.sap.com/#/notes/2788178 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 8EXPL: 0CVE-2019-0245
https://notcve.org/view.php?id=CVE-2019-0245
08 Jan 2019 — SAP CRM WebClient UI (fixed in SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. SAP CRM WebClient UI (solucionado en SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) no valida suficientemente los campos ocultos controlados por el usuario, lo que resulta en una vulnerabilidad de Cross-Site Scripting (XSS). • http://www.securityfocus.com/bid/106468 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 8EXPL: 0CVE-2019-0244
https://notcve.org/view.php?id=CVE-2019-0244
08 Jan 2019 — SAP CRM WebClient UI (fixed in SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. SAP CRM WebClient UI (solucionado en SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) no valida suficientemente los campos ocultos controlados por el usuario, lo que resulta en una vulnerabilidad de Cross-Site Scripting (XSS). • http://www.securityfocus.com/bid/106473 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.6EPSS: 6%CPEs: 6EXPL: 3CVE-2018-2380 – SAP Customer Relationship Management (CRM) Path Traversal Vulnerability
https://notcve.org/view.php?id=CVE-2018-2380
01 Mar 2018 — SAP CRM, 7.01, 7.02,7.30, 7.31, 7.33, 7.54, allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing "traverse to parent directory" are passed through to the file APIs. SAP CRM 7.01, 7.02, 7.30, 7.31, 7.33 y 7.54 permite que un atacante explote la validación insuficiente de la información de ruta proporcionada por los usuarios, por lo que los caracteres que representan "salto al directorio padre" se pasan a las API de archivo. SAP Customer Rel... • https://packetstorm.news/files/id/146820 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.1EPSS: 0%CPEs: 8EXPL: 0CVE-2018-2364
https://notcve.org/view.php?id=CVE-2018-2364
14 Feb 2018 — SAP CRM WebClient UI 7.01, 7.31, 7.46, 7.47, 7.48, 8.00, 8.01, S4FND 1.02, does not sufficiently validate and/or encode hidden fields, resulting in Cross-Site Scripting (XSS) vulnerability. SAP CRM WebClient UI 7.01, 7.31, 7.46, 7.47, 7.48, 8.00, 8.01 y S4FND 1.02, no valida suficientemente y/o codifica los campos ocultos, lo que resulta en una vulnerabilidad de Cross-Site Scripting (XSS). • http://www.securityfocus.com/bid/103002 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •