CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-32730 – Missing authorization check in SAP Enable Now Manager
https://notcve.org/view.php?id=CVE-2024-32730
SAP Enable Now Manager does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. On successful exploitation, the attacker with the role 'Learner' could gain access to other user's data in manager which will lead to a high impact to the confidentiality of the application. SAP Enable Now Manager no realiza las comprobaciones de autorización necesarias para un usuario autenticado, lo que da lugar a una escalada de privilegios. Si la explotación tiene éxito, el atacante con el rol de "Aprendiz" podría obtener acceso a los datos de otros usuarios en el administrador, lo que tendrá un alto impacto en la confidencialidad de la aplicación. • https://me.sap.com/notes/3441944 https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html?anchorId=section_370125364 • CWE-862: Missing Authorization •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2023-36920 – Clickjacking vulnerability in SAP Enable Now
https://notcve.org/view.php?id=CVE-2023-36920
In SAP Enable Now - versions WPB_MANAGER 1.0, WPB_MANAGER_CE 10, WPB_MANAGER_HANA 10, ENABLE_NOW_CONSUMP_DEL 1704, the X-FRAME-OPTIONS response header is not implemented, allowing an unauthenticated attacker to attempt clickjacking, which could result in disclosure or modification of information. En SAP Enable Now - versiones WPB_MANAGER 1.0, WPB_MANAGER_CE 10, WPB_MANAGER_HANA 10, ENABLE_NOW_CONSUMP_DEL 1704, the X-FRAME-OPTIONS el encabezado de respuesta no está implementado, lo que permite que un atacante no autenticado intente hacer click, lo que podría resultar en la divulgación o modificación de información. • https://launchpad.support.sap.com/#/notes/3326769 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-36919 – Information Disclosure in SAP Enable Now
https://notcve.org/view.php?id=CVE-2023-36919
In SAP Enable Now - versions WPB_MANAGER 1.0, WPB_MANAGER_CE 10, WPB_MANAGER_HANA 10, ENABLE_NOW_CONSUMP_DEL 1704, the Referrer-Policy response header is not implemented, allowing an unauthenticated attacker to obtain referrer details, resulting in information disclosure. • https://launchpad.support.sap.com/#/notes/3326769 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-116: Improper Encoding or Escaping of Output CWE-213: Exposure of Sensitive Information Due to Incompatible Policies CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-36918 – Cross-Site Scripting vulnerability in SAP Enable Now
https://notcve.org/view.php?id=CVE-2023-36918
In SAP Enable Now - versions WPB_MANAGER 1.0, WPB_MANAGER_CE 10, WPB_MANAGER_HANA 10, ENABLE_NOW_CONSUMP_DEL 1704, the X-Content-Type-Options response header is not implemented, allowing an unauthenticated attacker to trigger MIME type sniffing, which leads to Cross-Site Scripting, which could result in disclosure or modification of information. • https://launchpad.support.sap.com/#/notes/3326769 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-33988 – Cross-Site Scripting vulnerability in SAP Enable Now
https://notcve.org/view.php?id=CVE-2023-33988
In SAP Enable Now - versions WPB_MANAGER 1.0, WPB_MANAGER_CE 10, WPB_MANAGER_HANA 10, ENABLE_NOW_CONSUMP_DEL 1704, the Content-Security-Policy and X-XSS-Protection response headers are not implemented, allowing an unauthenticated attacker to attempt reflected cross-site scripting, which could result in disclosure or modification of information. • https://me.sap.com/notes/3326769 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •