CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-32730 – Missing authorization check in SAP Enable Now Manager
https://notcve.org/view.php?id=CVE-2024-32730
SAP Enable Now Manager does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. On successful exploitation, the attacker with the role 'Learner' could gain access to other user's data in manager which will lead to a high impact to the confidentiality of the application. SAP Enable Now Manager no realiza las comprobaciones de autorización necesarias para un usuario autenticado, lo que da lugar a una escalada de privilegios. Si la explotación tiene éxito, el atacante con el rol de "Aprendiz" podría obtener acceso a los datos de otros usuarios en el administrador, lo que tendrá un alto impacto en la confidencialidad de la aplicación. • https://me.sap.com/notes/3441944 https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html?anchorId=section_370125364 • CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 7EXPL: 0CVE-2024-30218 – Denial of service (DOS) vulnerability in SAP NetWeaver AS ABAP and ABAP Platform
https://notcve.org/view.php?id=CVE-2024-30218
The ABAP Application Server of SAP NetWeaver as well as ABAP Platform allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service. This leads to a considerable impact on availability. El servidor de aplicaciones ABAP de SAP NetWeaver, así como la plataforma ABAP, permiten a un atacante impedir que usuarios legítimos accedan a un servicio, ya sea bloqueando o inundando el servicio. Esto tiene un impacto considerable en la disponibilidad. • https://me.sap.com/notes/3359778 https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html?anchorId=section_370125364 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-30215 – Cross-Site Scripting (XSS) vulnerability in SAP Business Connector
https://notcve.org/view.php?id=CVE-2024-30215
The Resource Settings page allows a high privilege attacker to load exploitable payload to be stored and reflected whenever a User visits the page. In a successful attack, some information could be obtained and/or modified. However, the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. La página Resource Settings permite a un atacante con altos privilegios cargar un payload explotable para almacenarlo y reflejarlo cada vez que un usuario visita la página. En un ataque exitoso, se podría obtener y/o modificar cierta información. • https://me.sap.com/notes/3421453 https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html?anchorId=section_370125364 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-30214 – Cross-Site Scripting (XSS) vulnerability in SAP Business Connector
https://notcve.org/view.php?id=CVE-2024-30214
The application allows a high privilege attacker to append a malicious GET query parameter to Service invocations, which are reflected in the server response. Under certain circumstances, if the parameter contains a JavaScript, the script could be processed on client side. La aplicación permite que un atacante con privilegios elevados agregue un parámetro de consulta GET malicioso a las invocaciones del Servicio, que se reflejan en la respuesta del servidor. En determinadas circunstancias, si el parámetro contiene JavaScript, el script podría procesarse en el lado del cliente. • https://me.sap.com/notes/3421453 https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html?anchorId=section_370125364 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-27899 – Security misconfiguration vulnerability in SAP NetWeaver AS Java User Management Engine
https://notcve.org/view.php?id=CVE-2024-27899
Self-Registration and Modify your own profile in User Admin Application of NetWeaver AS Java does not enforce proper security requirements for the content of the newly defined security answer. This can be leveraged by an attacker to cause profound impact on confidentiality and low impact on both integrity and availability. Self-Registration and Modify your own profile en User Admin Application de NetWeaver AS Java no exige requisitos de seguridad adecuados para el contenido de la respuesta de seguridad recién definida. Un atacante puede aprovechar esto para causar un profundo impacto en la confidencialidad y un bajo impacto tanto en la integridad como en la disponibilidad. • https://me.sap.com/notes/3434839 https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html?anchorId=section_370125364 • CWE-640: Weak Password Recovery Mechanism for Forgotten Password •