CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-22127 – Code Injection vulnerability in SAP NetWeaver AS Java (Administrator Log Viewer plug-in)
https://notcve.org/view.php?id=CVE-2024-22127
12 Mar 2024 — SAP NetWeaver Administrator AS Java (Administrator Log Viewer plug-in) - version 7.50, allows an attacker with high privileges to upload potentially dangerous files which leads to command injection vulnerability. This would enable the attacker to run commands which can cause high impact on confidentiality, integrity and availability of the application. SAP NetWeaver Administrator AS Java (complemento Administrator Log Viewer): versión 7.50, permite a un atacante con altos privilegios cargar archivos potenci... • https://me.sap.com/notes/3433192 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.3EPSS: 0%CPEs: 10EXPL: 0CVE-2024-24741 – Missing Authorization check in SAP Master Data Governance Material
https://notcve.org/view.php?id=CVE-2024-24741
13 Feb 2024 — SAP Master Data Governance for Material Data - versions 618, 619, 620, 621, 622, 800, 801, 802, 803, 804, does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges. This could allow an attacker to read some sensitive information but no impact to integrity and availability. SAP Master Data Governance for Material Data: versiones 618, 619, 620, 621, 622, 800, 801, 802, 803, 804, no realiza la verificación de autorización necesaria para un usuario autentica... • https://me.sap.com/notes/2897391 • CWE-862: Missing Authorization •
CVSS: 7.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-22129 – Cross-Site Scripting (XSS) vulnerability in SAP Companion
https://notcve.org/view.php?id=CVE-2024-22129
13 Feb 2024 — SAP Companion - version <3.1.38, has a URL with parameter that could be vulnerable to XSS attack. The attacker could send a malicious link to a user that would possibly allow an attacker to retrieve the sensitive information and cause minor impact on the integrity of the web application. SAP Companion: versión <3.1.38, tiene una URL con un parámetro que podría ser vulnerable a un ataque XSS. El atacante podría enviar un enlace malicioso a un usuario que posiblemente le permitiría recuperar información co... • https://me.sap.com/notes/3404025 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25643 – Missing authorization check in SAP Fiori app (My Overtime Requests)
https://notcve.org/view.php?id=CVE-2024-25643
13 Feb 2024 — The SAP Fiori app (My Overtime Request) - version 605, does not perform the necessary authorization checks for an authenticated user which may result in an escalation of privileges. It is possible to manipulate the URLs of data requests to access information that the user should not have access to. There is no impact on integrity and availability. La aplicación SAP Fiori (Mi solicitud de horas extras), versión 605, no realiza las comprobaciones de autorización necesarias para un usuario autenticado, lo que ... • https://me.sap.com/notes/3237638 • CWE-862: Missing Authorization •
CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 1CVE-2024-25642 – Improper Certificate Validation in SAP Cloud Connector
https://notcve.org/view.php?id=CVE-2024-25642
13 Feb 2024 — Due to improper validation of certificate in SAP Cloud Connector - version 2.0, attacker can impersonate the genuine servers to interact with SCC breaking the mutual authentication. Hence, the attacker can intercept the request to view/modify sensitive information. There is no impact on the availability of the system. Debido a una validación incorrecta del certificado en SAP Cloud Connector - versión 2.0, el atacante puede hacerse pasar por los servidores genuinos para interactuar con SCC rompiendo la auten... • https://packetstorm.news/files/id/178583 • CWE-295: Improper Certificate Validation •
CVSS: 8.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-24743 – XXE vulnerability in SAP NetWeaver AS Java (Guided Procedures)
https://notcve.org/view.php?id=CVE-2024-24743
13 Feb 2024 — SAP NetWeaver AS Java (CAF - Guided Procedures) - version 7.50, allows an unauthenticated attacker to submit a malicious request with a crafted XML file over the network, which when parsed will enable him to access sensitive files and data but not modify them. There are expansion limits in place so that availability is not affected. SAP NetWeaver AS Java (CAF - Procedimientos guiados): versión 7.50, permite a un atacante no autenticado enviar una solicitud maliciosa con un archivo XML manipulado a través de... • https://me.sap.com/notes/3426111 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 4.1EPSS: 0%CPEs: 7EXPL: 0CVE-2024-24742 – Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI)
https://notcve.org/view.php?id=CVE-2024-24742
13 Feb 2024 — SAP CRM WebClient UI - version S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, WEBCUIF 701, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800, WEBCUIF 801, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. An attacker with low privileges can cause limited impact to integrity of the application data after successful exploitation. There is no impact on confidentiality and availability. UI de SAP CRM WebClient: versión S4FND 102, S4... • https://me.sap.com/notes/3158455 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 7EXPL: 0CVE-2024-24740 – Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP (SAP Kernel)
https://notcve.org/view.php?id=CVE-2024-24740
13 Feb 2024 — SAP NetWeaver Application Server (ABAP) - versions KERNEL 7.53, KERNEL 7.54, KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.93, KERNEL 7.94, KRNL64UC 7.53, under certain conditions, allows an attacker to access information which could otherwise be restricted with low impact on confidentiality of the application. SAP NetWeaver Application Server (ABAP): versiones KERNEL 7.53, KERNEL 7.54, KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.93, KERNEL 7.94, KRNL64UC 7.53, bajo ciertas condiciones, permite a un a... • https://me.sap.com/notes/3360827 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-24739 – Missing authorization check in SAP BAM (Bank Account Management)
https://notcve.org/view.php?id=CVE-2024-24739
13 Feb 2024 — SAP Bank Account Management (BAM) allows an authenticated user with restricted access to use functions which can result in escalation of privileges with low impact on confidentiality, integrity and availability of the application. SAP Bank Account Management (BAM) permite que un usuario autenticado con acceso restringido utilice funciones que pueden resultar en una escalada de privilegios con bajo impacto en la confidencialidad, integridad y disponibilidad de la aplicación. • https://me.sap.com/notes/2637727 • CWE-862: Missing Authorization •
CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-22132 – Code Injection vulnerability in SAP IDES Systems
https://notcve.org/view.php?id=CVE-2024-22132
13 Feb 2024 — SAP IDES ECC-systems contain code that permits the execution of arbitrary program code of user's choice.An attacker can therefore control the behaviour of the system by executing malicious code which can potentially escalate privileges with low impact on confidentiality, integrity and availability of the system. SAP IDES ECC-systems contienen código que permite la ejecución de código de programa arbitrario elegido por el usuario. Por lo tanto, un atacante puede controlar el comportamiento del sistema ejecut... • https://me.sap.com/notes/3421659 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •