CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-42480 – Information Disclosure in NetWeaver AS Java Logon
https://notcve.org/view.php?id=CVE-2023-42480
The unauthenticated attacker in NetWeaver AS Java Logon application - version 7.50, can brute force the login functionality to identify the legitimate user ids. This will have an impact on confidentiality but there is no other impact on integrity or availability. El atacante no autenticado en la aplicación NetWeaver AS Java Logon versión 7.50 puede forzar la funcionalidad de inicio de sesión para identificar los ID de usuario legítimos. Esto tendrá un impacto en la confidencialidad, pero no hay ningún otro impacto en la integridad o disponibilidad. • https://me.sap.com/notes/3366410 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-42477 – Server-Side Request Forgery in SAP NetWeaver AS Java (GRMG Heartbeat application)
https://notcve.org/view.php?id=CVE-2023-42477
SAP NetWeaver AS Java (GRMG Heartbeat application) - version 7.50, allows an attacker to send a crafted request from a vulnerable web application, causing limited impact on confidentiality and integrity of the application. SAP NetWeaver AS Java (aplicación GRMG Heartbeat): versión 7.50, permite a un atacante enviar una solicitud manipulada desde una aplicación web vulnerable, lo que provoca un impacto limitado en la confidencialidad y la integridad de la aplicación. • https://me.sap.com/notes/3333426 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-24526 – Improper Access Control in SAP NetWeaver AS Java (Classload Service)
https://notcve.org/view.php?id=CVE-2023-24526
SAP NetWeaver Application Server Java for Classload Service - version 7.50, does not perform any authentication checks for functionalities that require user identity, resulting in escalation of privileges. This failure has a low impact on confidentiality of the data such that an unassigned user can read non-sensitive server data. • https://launchpad.support.sap.com/#/notes/3288394 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-306: Missing Authentication for Critical Function •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-41262
https://notcve.org/view.php?id=CVE-2022-41262
Due to insufficient input validation, SAP NetWeaver AS Java (HTTP Provider Service) - version 7.50, allows an unauthenticated attacker to inject a script into a web request header. On successful exploitation, an attacker can view or modify information causing a limited impact on the confidentiality and integrity of the application. Debido a una validación de entrada insuficiente, SAP NetWeaver AS Java (HTTP Provider Service), versión 7.50, permite a un atacante no autenticado inyectar un script en un encabezado de solicitud web. Si la explotación tiene éxito, un atacante puede ver o modificar información causando un impacto limitado en la confidencialidad e integridad de la aplicación. • https://launchpad.support.sap.com/#/notes/3262544 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-26103
https://notcve.org/view.php?id=CVE-2022-26103
Under certain conditions, SAP NetWeaver (Real Time Messaging Framework) - version 7.50, allows an attacker to access information which could lead to information gathering for further exploits and attacks. Bajo determinadas condiciones, SAP NetWeaver (Real Time Messaging Framework) - versión 7.50, permite a un atacante acceder a información que podría conllevar a una recopilación de información para otras explotaciones y ataques • https://dam.sap.com/mac/embed/public/pdf/a/ucQrx6G.htm?rc=10 https://launchpad.support.sap.com/#/notes/3132360 • CWE-862: Missing Authorization •