CVE-2024-30214 – Cross-Site Scripting (XSS) vulnerability in SAP Business Connector
https://notcve.org/view.php?id=CVE-2024-30214
The application allows a high privilege attacker to append a malicious GET query parameter to Service invocations, which are reflected in the server response. Under certain circumstances, if the parameter contains a JavaScript, the script could be processed on client side. La aplicación permite que un atacante con privilegios elevados agregue un parámetro de consulta GET malicioso a las invocaciones del Servicio, que se reflejan en la respuesta del servidor. En determinadas circunstancias, si el parámetro contiene JavaScript, el script podría procesarse en el lado del cliente. • https://me.sap.com/notes/3421453 https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html?anchorId=section_370125364 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2024-27899 – Security misconfiguration vulnerability in SAP NetWeaver AS Java User Management Engine
https://notcve.org/view.php?id=CVE-2024-27899
Self-Registration and Modify your own profile in User Admin Application of NetWeaver AS Java does not enforce proper security requirements for the content of the newly defined security answer. This can be leveraged by an attacker to cause profound impact on confidentiality and low impact on both integrity and availability. Self-Registration and Modify your own profile en User Admin Application de NetWeaver AS Java no exige requisitos de seguridad adecuados para el contenido de la respuesta de seguridad recién definida. Un atacante puede aprovechar esto para causar un profundo impacto en la confidencialidad y un bajo impacto tanto en la integridad como en la disponibilidad. • https://me.sap.com/notes/3434839 https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html?anchorId=section_370125364 • CWE-640: Weak Password Recovery Mechanism for Forgotten Password •
CVE-2024-27898 – Server-Side Request Forgery in SAP NetWeaver
https://notcve.org/view.php?id=CVE-2024-27898
SAP NetWeaver application, due to insufficient input validation, allows an attacker to send a crafted request from a vulnerable web application targeting internal systems behind firewalls that are normally inaccessible to an attacker from the external network, resulting in a Server-Side Request Forgery vulnerability. Thus, having a low impact on confidentiality. La aplicación SAP NetWeaver, debido a una validación de entrada insuficiente, permite a un atacante enviar una solicitud manipulada desde una aplicación web vulnerable dirigida a sistemas internos detrás de firewalls que normalmente son inaccesibles para un atacante desde la red externa, lo que resulta en una vulnerabilidad Server-Side Request Forgery. Teniendo así un bajo impacto en la confidencialidad. • https://me.sap.com/notes/3425188 https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html?anchorId=section_370125364 • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2024-25646 – Information Disclosure vulnerability in SAP BusinessObjects Web Intelligence
https://notcve.org/view.php?id=CVE-2024-25646
Due to improper validation, SAP BusinessObject Business Intelligence Launch Pad allows an authenticated attacker to access operating system information using crafted document. On successful exploitation there could be a considerable impact on confidentiality of the application. Debido a una validación incorrecta, SAP BusinessObject Business Intelligence Launch Pad permite que un atacante autenticado acceda a información del sistema operativo mediante un documento manipulado. Una explotación exitosa podría tener un impacto considerable en la confidencialidad de la solicitud. • https://me.sap.com/notes/3421384 https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html?anchorId=section_370125364 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-732: Incorrect Permission Assignment for Critical Resource •
CVE-2024-25645 – Information Disclosure vulnerability in SAP NetWeaver (Enterprise Portal)
https://notcve.org/view.php?id=CVE-2024-25645
Under certain condition SAP NetWeaver (Enterprise Portal) - version 7.50 allows an attacker to access information which would otherwise be restricted causing low impact on confidentiality of the application and with no impact on Integrity and Availability of the application. Bajo ciertas condiciones, SAP NetWeaver (Enterprise Portal): la versión 7.50 permite a un atacante acceder a información que de otro modo estaría restringida, lo que causa un impacto bajo en la confidencialidad de la aplicación y sin impacto en la integridad y disponibilidad de la aplicación. • https://me.sap.com/notes/3428847 https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html?anchorId=section_370125364 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-732: Incorrect Permission Assignment for Critical Resource •