CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-42480 – Information Disclosure in NetWeaver AS Java Logon
https://notcve.org/view.php?id=CVE-2023-42480
14 Nov 2023 — The unauthenticated attacker in NetWeaver AS Java Logon application - version 7.50, can brute force the login functionality to identify the legitimate user ids. This will have an impact on confidentiality but there is no other impact on integrity or availability. El atacante no autenticado en la aplicación NetWeaver AS Java Logon versión 7.50 puede forzar la funcionalidad de inicio de sesión para identificar los ID de usuario legítimos. Esto tendrá un impacto en la confidencialidad, pero no hay ningún otro ... • https://me.sap.com/notes/3366410 • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 5.3EPSS: 0%CPEs: 15EXPL: 0CVE-2023-41366 – Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform
https://notcve.org/view.php?id=CVE-2023-41366
14 Nov 2023 — Under certain condition SAP NetWeaver Application Server ABAP - versions KERNEL 722, KERNEL 7.53, KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.54, KERNEL 7.91, KERNEL 7.92, KERNEL 7.93, KERNEL 7.94, KERNEL64UC 7.22, KERNEL64UC 7.22EXT, KERNEL64UC 7.53, KERNEL64NUC 7.22, KERNEL64NUC 7.22EXT, allows an unauthenticated attacker to access the unintended data due to the lack of restrictions applied which may lead to low impact in confidentiality and no impact on the integrity and availability of the applicati... • https://me.sap.com/notes/3362849 • CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere •
CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 0CVE-2023-31403 – Improper Access Control vulnerability in SAP Business One product installation
https://notcve.org/view.php?id=CVE-2023-31403
14 Nov 2023 — SAP Business One installation - version 10.0, does not perform proper authentication and authorization checks for SMB shared folder. As a result, any malicious user can read and write to the SMB shared folder. Additionally, the files in the folder can be executed or be used by the installation process leading to considerable impact on confidentiality, integrity and availability. La instalación de SAP Business One versión 10.0, no realiza comprobaciones de autenticación y autorización adecuadas para la carpe... • https://me.sap.com/notes/3355658 • CWE-284: Improper Access Control CWE-863: Incorrect Authorization •
CVSS: 6.4EPSS: 0%CPEs: 4EXPL: 0CVE-2023-36920 – Clickjacking vulnerability in SAP Enable Now
https://notcve.org/view.php?id=CVE-2023-36920
30 Oct 2023 — In SAP Enable Now - versions WPB_MANAGER 1.0, WPB_MANAGER_CE 10, WPB_MANAGER_HANA 10, ENABLE_NOW_CONSUMP_DEL 1704, the X-FRAME-OPTIONS response header is not implemented, allowing an unauthenticated attacker to attempt clickjacking, which could result in disclosure or modification of information. En SAP Enable Now - versiones WPB_MANAGER 1.0, WPB_MANAGER_CE 10, WPB_MANAGER_HANA 10, ENABLE_NOW_CONSUMP_DEL 1704, the X-FRAME-OPTIONS el encabezado de respuesta no está implementado, lo que permite que un atacant... • https://launchpad.support.sap.com/#/notes/3326769 • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-42477 – Server-Side Request Forgery in SAP NetWeaver AS Java (GRMG Heartbeat application)
https://notcve.org/view.php?id=CVE-2023-42477
10 Oct 2023 — SAP NetWeaver AS Java (GRMG Heartbeat application) - version 7.50, allows an attacker to send a crafted request from a vulnerable web application, causing limited impact on confidentiality and integrity of the application. SAP NetWeaver AS Java (aplicación GRMG Heartbeat): versión 7.50, permite a un atacante enviar una solicitud manipulada desde una aplicación web vulnerable, lo que provoca un impacto limitado en la confidencialidad y la integridad de la aplicación. SAP NetWeaver AS Java (GRMG Heartbeat app... • https://me.sap.com/notes/3333426 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 0CVE-2023-42475 – Information Disclosure Vulnerability in Statutory Reporting
https://notcve.org/view.php?id=CVE-2023-42475
10 Oct 2023 — The Statutory Reporting application has a vulnerable file storage location, potentially enabling low privileged attacker to read server files with minimal impact on confidentiality. La aplicación Statutory Reporting tiene una ubicación de almacenamiento de archivos vulnerable, lo que potencialmente permite a un atacante con pocos privilegios leer archivos del servidor con un impacto mínimo en la confidencialidad. • https://me.sap.com/notes/3222121 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-42474 – Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Web Intelligence
https://notcve.org/view.php?id=CVE-2023-42474
10 Oct 2023 — SAP BusinessObjects Web Intelligence - version 420, has a URL with parameter that could be vulnerable to XSS attack. The attacker could send a malicious link to a user that would possibly allow an attacker to retrieve the sensitive information. SAP BusinessObjects Web Intelligence - versión 420, tiene una URL con un parámetro que podría ser vulnerable a un ataque XSS. El atacante podría enviar un enlace malicioso a un usuario que posiblemente le permitiría recuperar información confidencial. • https://me.sap.com/notes/3372991 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-42473 – Missing Authorization Check In S/4HANA (Manage Withholding Tax Items)
https://notcve.org/view.php?id=CVE-2023-42473
10 Oct 2023 — S/4HANA Manage (Withholding Tax Items) - version 106, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges which has low impact on the confidentiality and integrity of the application. S/4HANA Manage (Artículos de retención de impuestos): versión 106, no realiza las verificaciones de autorización necesarias para un usuario autenticado, lo que resulta en una escalada de privilegios que tiene un impacto bajo en la confidencialidad e integridad de la ... • https://me.sap.com/notes/3219846 • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41365 – Information Disclosure vulnerability in SAP Business One (B1i)
https://notcve.org/view.php?id=CVE-2023-41365
10 Oct 2023 — SAP Business One (B1i) - version 10.0, allows an authorized attacker to retrieve the details stack trace of the fault message to conduct the XXE injection, which will lead to information disclosure. After successful exploitation, an attacker can cause limited impact on the confidentiality and no impact to the integrity and availability. SAP Business One (B1i): versión 10.0, permite a un atacante autorizado recuperar el seguimiento de la pila de detalles del mensaje de error para realizar la inyección XXE, l... • https://me.sap.com/notes/3338380 • CWE-209: Generation of Error Message Containing Sensitive Information CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-40310 – Missing XML Validation vulnerability in SAP PowerDesigner Client BPMN2 import
https://notcve.org/view.php?id=CVE-2023-40310
10 Oct 2023 — SAP PowerDesigner Client - version 16.7, does not sufficiently validate BPMN2 XML document imported from an untrusted source. As a result, URLs of external entities in BPMN2 file, although not used, would be accessed during import. A successful attack could impact availability of SAP PowerDesigner Client. SAP PowerDesigner Client: versión 16.7, no valida suficientemente el documento XML BPMN2 importado de una fuente que no es de confianza. Como resultado, se accedería a las URL de entidades externas en el a... • https://me.sap.com/notes/3357154 • CWE-112: Missing XML Validation •