CVE-2024-21738 – Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver ABAP Application Server and ABAP Platform
https://notcve.org/view.php?id=CVE-2024-21738
SAP NetWeaver ABAP Application Server and ABAP Platform do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. An attacker with low privileges can cause limited impact to confidentiality of the application data after successful exploitation. SAP NetWeaver ABAP Application Server y ABAP Platform no codifican suficientemente las entradas controladas por el usuario, lo que genera una vulnerabilidad de Cross-Site Scripting (XSS). Un atacante con pocos privilegios puede causar un impacto limitado en la confidencialidad de los datos de la aplicación después de una explotación exitosa. • https://me.sap.com/notes/3387737 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-49581 – SQL Injection vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform
https://notcve.org/view.php?id=CVE-2023-49581
SAP GUI for Windows and SAP GUI for Java allow an unauthenticated attacker to access information which would otherwise be restricted and confidential. In addition, this vulnerability allows the unauthenticated attacker to write data to a database table. By doing so the attacker could increase response times of the AS ABAP, leading to mild impact on availability. SAP GUI para Windows y SAP GUI para Java permiten que un atacante no autenticado acceda a información que de otro modo estaría restringida y confidencial. Además, esta vulnerabilidad permite que un atacante no autenticado escriba datos en una tabla de base de datos. • https://me.sap.com/notes/3392547 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2023-40309 – Missing Authorization check in SAP CommonCryptoLib
https://notcve.org/view.php?id=CVE-2023-40309
SAP CommonCryptoLib does not perform necessary authentication checks, which may result in missing or wrong authorization checks for an authenticated user, resulting in escalation of privileges. Depending on the application and the level of privileges acquired, an attacker could abuse functionality restricted to a particular user group as well as read, modify or delete restricted data. SAP CommonCryptoLib no realiza las comprobaciones de autenticación necesarias, lo que puede dar como resultado comprobaciones de autorización faltantes o incorrectas para un usuario autenticado, lo que resulta en una escalada de privilegios. Según la aplicación y el nivel de privilegios adquiridos, un atacante podría abusar de la funcionalidad restringida a un grupo de usuarios concreto, así como leer, modificar o eliminar datos restringidos. • https://me.sap.com/notes/3340576 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-862: Missing Authorization CWE-863: Incorrect Authorization •
CVE-2023-40624 – Code Injection vulnerability in SAP NetWeaver AS ABAP (applications based on Unified Rendering)
https://notcve.org/view.php?id=CVE-2023-40624
SAP NetWeaver AS ABAP (applications based on Unified Rendering) - versions SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, SAP_BASIS 702, SAP_BASIS 731, allows an attacker to inject JavaScript code that can be executed in the web-application. An attacker could thereby control the behavior of this web-application. SAP NetWeaver AS ABAP (aplicaciones basadas en renderizado unificado): versiones SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, SAP_BASIS 702, SAP_BASIS 731, permite a un atacante inyectar código JavaScript que se puede ejecutar en la aplicación web . De este modo, un atacante podría controlar el comportamiento de esta aplicación web. • https://me.sap.com/notes/3323163 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-40308 – Memory Corruption vulnerability in SAP CommonCryptoLib
https://notcve.org/view.php?id=CVE-2023-40308
SAP CommonCryptoLib allows an unauthenticated attacker to craft a request, which when submitted to an open port causes a memory corruption error in a library which in turn causes the target component to crash making it unavailable. There is no ability to view or modify any information. SAP CommonCryptoLib permite que un atacante no autenticado cree una solicitud que, cuando se envía a un puerto abierto, provoca un error de corrupción de memoria en una librería, lo que a su vez provoca que el componente de target falle y deje de estar disponible. No hay posibilidad de ver o modificar ninguna información. • https://me.sap.com/notes/3327896 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-476: NULL Pointer Dereference CWE-787: Out-of-bounds Write •