CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-35872 – Missing Authentication check in SAP NetWeaver Process Integration (Message Display Tool)
https://notcve.org/view.php?id=CVE-2023-35872
The Message Display Tool (MDT) of SAP NetWeaver Process Integration - version SAP_XIAF 7.50, does not perform authentication checks for certain functionalities that require user identity. An unauthenticated user might access technical data about the product status and its configuration. The vulnerability does not allow access to sensitive information or administrative functionalities. On successful exploitation an attacker can cause limited impact on confidentiality and availability of the application. • https://me.sap.com/notes/3343564 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-306: Missing Authentication for Critical Function •
CVSS: 8.7EPSS: 0%CPEs: 4EXPL: 0CVE-2023-33989 – Directory Traversal vulnerability in SAP NetWeaver (BI CONT ADD ON)
https://notcve.org/view.php?id=CVE-2023-33989
An attacker with non-administrative authorizations in SAP NetWeaver (BI CONT ADD ON) - versions 707, 737, 747, 757, can exploit a directory traversal flaw to over-write system files. Data from confidential files cannot be read but potentially some OS files can be over-written leading to system compromise. • https://me.sap.com/notes/3331376 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-31405 – Log Injection vulnerability in SAP NetWeaver AS for Java (Log Viewer)
https://notcve.org/view.php?id=CVE-2023-31405
SAP NetWeaver AS for Java - versions ENGINEAPI 7.50, SERVERCORE 7.50, J2EE-APPS 7.50, allows an unauthenticated attacker to craft a request over the network which can result in unwarranted modifications to a system log without user interaction. There is no ability to view any information or any effect on availability. • https://me.sap.com/notes/3324732 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-117: Improper Output Neutralization for Logs •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-33985 – Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal
https://notcve.org/view.php?id=CVE-2023-33985
SAP NetWeaver Enterprise Portal - version 7.50, does not sufficiently encode user-controlled inputs over the network, resulting in reflected Cross-Site Scripting (XSS) vulnerability, therefore changing the scope of the attack. On successful exploitation, an attacker can view or modify information causing a limited impact on confidentiality and integrity of the application. • https://launchpad.support.sap.com/#/notes/3331627 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-33984 – Cross-Site Scripting (XSS) vulnerability in NetWeaver (Design Time Repository)
https://notcve.org/view.php?id=CVE-2023-33984
SAP NetWeaver (Design Time Repository) - version 7.50, returns an unfavorable content type for some versioned files, which could allow an authorized attacker to create a file with a malicious content and send a link to a victim in an email or instant message. Under certain circumstances, this could lead to Cross-Site Scripting vulnerability. • https://launchpad.support.sap.com/#/notes/3318657 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •