CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-24739 – Missing authorization check in SAP BAM (Bank Account Management)
https://notcve.org/view.php?id=CVE-2024-24739
13 Feb 2024 — SAP Bank Account Management (BAM) allows an authenticated user with restricted access to use functions which can result in escalation of privileges with low impact on confidentiality, integrity and availability of the application. SAP Bank Account Management (BAM) permite que un usuario autenticado con acceso restringido utilice funciones que pueden resultar en una escalada de privilegios con bajo impacto en la confidencialidad, integridad y disponibilidad de la aplicación. • https://me.sap.com/notes/2637727 • CWE-862: Missing Authorization •
CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-22132 – Code Injection vulnerability in SAP IDES Systems
https://notcve.org/view.php?id=CVE-2024-22132
13 Feb 2024 — SAP IDES ECC-systems contain code that permits the execution of arbitrary program code of user's choice.An attacker can therefore control the behaviour of the system by executing malicious code which can potentially escalate privileges with low impact on confidentiality, integrity and availability of the system. SAP IDES ECC-systems contienen código que permite la ejecución de código de programa arbitrario elegido por el usuario. Por lo tanto, un atacante puede controlar el comportamiento del sistema ejecut... • https://me.sap.com/notes/3421659 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.1EPSS: 0%CPEs: 10EXPL: 0CVE-2024-22131 – Code Injection vulnerability in SAP ABA (Application Basis)
https://notcve.org/view.php?id=CVE-2024-22131
13 Feb 2024 — In SAP ABA (Application Basis) - versions 700, 701, 702, 731, 740, 750, 751, 752, 75C, 75I, an attacker authenticated as a user with a remote execution authorization can use a vulnerable interface. This allows the attacker to use the interface to invoke an application function to perform actions which they would not normally be permitted to perform. Depending on the function executed, the attack can read or modify any user/business data and can make the entire system unavailable. En SAP ABA (Application Bas... • https://me.sap.com/notes/3420923 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.6EPSS: 0%CPEs: 9EXPL: 0CVE-2024-22130 – Cross-Site Scripting (XSS) vulnerability in SAP CRM WebClient UI
https://notcve.org/view.php?id=CVE-2024-22130
13 Feb 2024 — Print preview option in SAP CRM WebClient UI - versions S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, S4FND 107, S4FND 108, WEBCUIF 700, WEBCUIF 701, WEBCUIF 730, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800, WEBCUIF 801, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting vulnerability. An attacker with low privileges can cause limited impact to confidentiality and integrity of the appliaction data after successful exploitation. Opción de vista... • https://me.sap.com/notes/3410875 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-22126 – Cross Site Scripting vulnerability in SAP NetWeaver AS Java (User Admin Application)
https://notcve.org/view.php?id=CVE-2024-22126
13 Feb 2024 — The User Admin application of SAP NetWeaver AS for Java - version 7.50, insufficiently validates and improperly encodes the incoming URL parameters before including them into the redirect URL. This results in Cross-Site Scripting (XSS) vulnerability, leading to a high impact on confidentiality and mild impact on integrity and availability. La aplicación User Admin de SAP NetWeaver AS para Java, versión 7.50, no valida lo suficiente y codifica incorrectamente los parámetros de la URL entrante antes de inclui... • https://me.sap.com/notes/3417627 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-23826 – Uploading an image with a specific filename causes a server-side DoS
https://notcve.org/view.php?id=CVE-2024-23826
29 Jan 2024 — spbu_se_site is the website of the Department of System Programming of St. Petersburg State University. Before 2024.01.29, when uploading an avatar image, an authenticated user may intentionally use a large Unicode filename which would lead to a server-side denial of service under Windows. This is due to no limitation of the length of the filename and the costly use of the Unicode normalization with the form NFKD on Windows OS. This vulnerability was fixed in the 2024.01.29 release. spbu_se_site es el sitio... • https://github.com/spbu-se/spbu_se_site/commit/5ad623eb0405260763046343c5785bc588d8a57d • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-1015 – Remote command execution vulnerability in SE-elektronic GmbH E-DDC3.3
https://notcve.org/view.php?id=CVE-2024-1015
29 Jan 2024 — Remote command execution vulnerability in SE-elektronic GmbH E-DDC3.3 affecting versions 03.07.03 and higher. An attacker could send different commands from the operating system to the system via the web configuration functionality of the device. Vulnerabilidad de ejecución remota de comandos en SE-elektronic GmbH E-DDC3.3 que afecta a las versiones 03.07.03 y superiores. Un atacante podría enviar diferentes comandos desde el sistema operativo al sistema a través de la funcionalidad de configuración web del... • https://www.hackplayers.com/2024/01/cve-2024-1014-and-cve-2024-1015.html • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 1CVE-2024-1014 – Uncontrolled resource consumption vulnerability in SE-elektronic GmbH E-DDC3.3
https://notcve.org/view.php?id=CVE-2024-1014
29 Jan 2024 — Uncontrolled resource consumption vulnerability in SE-elektronic GmbH E-DDC3.3 affecting versions 03.07.03 and higher. An attacker could interrupt the availability of the administration panel by sending multiple ICMP packets. Vulnerabilidad de consumo descontrolado de recursos en SE-elektronic GmbH E-DDC3.3 que afecta a las versiones 03.07.03 y superiores. Un atacante podría interrumpir la disponibilidad del panel de administración enviando múltiples paquetes ICMP. • https://www.hackplayers.com/2024/01/cve-2024-1014-and-cve-2024-1015.html • CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2023-37200
https://notcve.org/view.php?id=CVE-2023-37200
12 Jul 2023 — A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could cause loss of confidentiality when replacing a project file on the local filesystem and after manual restart of the server. A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could cause loss of confidentiality when replacing a project file on the local filesystem and after manual restart of the server. • https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-192-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2023-192-02.pdf • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-43461 – WordPress Slideshow SE Plugin <= 2.5.5 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2022-43461
28 Oct 2022 — Stored Cross-Site Scripting (XSS) vulnerability in John West Slideshow SE plugin <= 2.5.5 versions. The Slideshow SE plugin for WordPress is vulnerable to Stored Cross-Site Scripting in certain plugin configurations in versions up to, and including, 2.5.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected pag... • https://patchstack.com/database/vulnerability/slideshow-se/wordpress-slideshow-se-plugin-2-5-5-auth-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •