CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-21737 – Code Injection vulnerability in SAP Application Interface Framework (File Adapter)
https://notcve.org/view.php?id=CVE-2024-21737
09 Jan 2024 — In SAP Application Interface Framework File Adapter - version 702, a high privilege user can use a function module to traverse through various layers and execute OS commands directly. By this, such user can control the behaviour of the application. This leads to considerable impact on confidentiality, integrity and availability. En SAP Application Interface Framework File Adapter, versión 702, un usuario con privilegios elevados puede utilizar un módulo de funciones para atravesar varias capas y ejecutar co... • https://me.sap.com/notes/3411869 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-21736 – Missing Authorization check in SAP S/4HANA Finance (Advanced Payment Management)
https://notcve.org/view.php?id=CVE-2024-21736
09 Jan 2024 — SAP S/4HANA Finance for (Advanced Payment Management) - versions SAPSCORE 128, S4CORE 107, does not perform necessary authorization checks. A function import could be triggered allowing the attacker to create in-house bank accounts leading to low impact on the confidentiality of the application. SAP S/4HANA Finance for (Advanced Payment Management): versiones SAPSCORE 128, S4CORE 107, no realiza las comprobaciones de autorización necesarias. Se podría activar una importación de funciones que permitiera al a... • https://me.sap.com/notes/3260667 • CWE-285: Improper Authorization CWE-863: Incorrect Authorization •
CVSS: 8.3EPSS: 0%CPEs: 6EXPL: 0CVE-2024-21735 – Improper Authorization check in SAP LT Replication Server
https://notcve.org/view.php?id=CVE-2024-21735
09 Jan 2024 — SAP LT Replication Server - version S4CORE 103, S4CORE 104, S4CORE 105, S4CORE 106, S4CORE 107, S4CORE 108, does not perform necessary authorization checks. This could allow an attacker with high privileges to perform unintended actions, resulting in escalation of privileges, which has High impact on confidentiality, integrity and availability of the system. SAP LT Replication Server - versión S4CORE 103, S4CORE 104, S4CORE 105, S4CORE 106, S4CORE 107, S4CORE 108, no realizan las comprobaciones de autorizac... • https://me.sap.com/notes/3407617 • CWE-863: Incorrect Authorization •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-21734 – URL Redirection vulnerability in SAP Marketing (Contacts App)
https://notcve.org/view.php?id=CVE-2024-21734
09 Jan 2024 — SAP Marketing (Contacts App) - version 160, allows an attacker with low privileges to trick a user to open malicious page which could lead to a very convincing phishing attack with low impact on confidentiality and integrity of the application. SAP Marketing (Contacts App) - versión 160, permite a un atacante con privilegios bajos engañar a un usuario para que abra una página maliciosa, lo que podría conducir a un ataque de phishing muy convincente con bajo impacto en la confidencialidad y la integridad de ... • https://me.sap.com/notes/3190894 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-50424 – Escalation of Privileges in SAP BTP Security Services Integration Library ([Golang] github.com/sap/cloud-security-client-go)
https://notcve.org/view.php?id=CVE-2023-50424
12 Dec 2023 — SAP BTP Security Services Integration Library ([Golang] github.com/sap/cloud-security-client-go) - versions < 0.17.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application. SAP BTP Security Services Integration Library ([Golang] github.com/sap/cloud-security-client-go): versiones < 0.17.0, permiten, bajo ciertas condiciones, una escalada de privilegios. Si la explotación tiene éxito, un a... • https://blogs.sap.com/2023/12/12/unveiling-critical-security-updates-sap-btp-security-note-3411067 • CWE-269: Improper Privilege Management CWE-749: Exposed Dangerous Method or Function •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-50423 – Escalation of Privileges in SAP BTP Security Services Integration Library ([Python] cloud-pysec)
https://notcve.org/view.php?id=CVE-2023-50423
12 Dec 2023 — SAP BTP Security Services Integration Library ([Python] sap-xssec) - versions < 4.1.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application. SAP BTP Security Services Integration Library ([Python] sap-xssec): las versiones < 4.1.0 permiten, bajo ciertas condiciones, una escalada de privilegios. Si la explotación tiene éxito, un atacante no autenticado puede obtener permisos arbitrarios d... • https://blogs.sap.com/2023/12/12/unveiling-critical-security-updates-sap-btp-security-note-3411067 • CWE-269: Improper Privilege Management CWE-749: Exposed Dangerous Method or Function •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-6542 – Improper Export of Android Application Components in SAP EMARSYS SDK ANDROID
https://notcve.org/view.php?id=CVE-2023-6542
12 Dec 2023 — Due to lack of proper authorization checks in Emarsys SDK for Android, an attacker can call a particular activity and can forward himself web pages and/or deep links without any validation directly from the host application. On successful attack, an attacker could navigate to arbitrary URL including application deep links on the device. Debido a la falta de controles de autorización adecuados en Emarsys SDK para Android, un atacante puede llamar a una actividad particular y reenviarse páginas web y/o enlace... • https://me.sap.com/notes/3406244 • CWE-863: Incorrect Authorization •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-49587 – Command Injection vulnerability in SAP Solution Manager
https://notcve.org/view.php?id=CVE-2023-49587
12 Dec 2023 — SAP Solution Manager - version 720, allows an authorized attacker to execute certain deprecated function modules which can read or modify data of same or other component without user interaction over the network. SAP Solution Manager: versión 720, permite a un atacante autorizado ejecutar ciertos módulos de funciones obsoletos que pueden leer o modificar datos del mismo u otro componente sin interacción del usuario a través de la red. • https://me.sap.com/notes/3395306 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 4.3EPSS: 0%CPEs: 9EXPL: 0CVE-2023-49584 – Client-Side Desynchronization vulnerability in SAP Fiori Launchpad
https://notcve.org/view.php?id=CVE-2023-49584
12 Dec 2023 — SAP Fiori launchpad - versions SAP_UI 750, SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, UI_700 200, SAP_BASIS 793, allows an attacker to use HTTP verb POST on read-only service causing low impact on Confidentiality of the application. Plataforma de lanzamiento de SAP Fiori: versiones SAP_UI 750, SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, UI_700 200, SAP_BASIS 793, permite a un atacante utilizar el verbo HTTP POST en un servicio de solo lectura, lo que provoca un bajo impacto ... • https://me.sap.com/notes/3406786 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2023-50422 – Escalation of Privileges in SAP BTP Security Services Integration Library ([Java] cloud-security-services-integration-library)
https://notcve.org/view.php?id=CVE-2023-50422
12 Dec 2023 — SAP BTP Security Services Integration Library ([Java] cloud-security-services-integration-library) - versions below 2.17.0 and versions from 3.0.0 to before 3.3.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application. SAP BTP Security Services Integration Library ([Java] cloud-security-services-integration-library): las versiones inferiores a 2.17.0 y las versiones desde 3.0.0 hasta anterio... • https://blogs.sap.com/2023/12/12/unveiling-critical-security-updates-sap-btp-security-note-3411067 • CWE-269: Improper Privilege Management CWE-749: Exposed Dangerous Method or Function •