CVE-2024-25643 – Missing authorization check in SAP Fiori app (My Overtime Requests)
https://notcve.org/view.php?id=CVE-2024-25643
The SAP Fiori app (My Overtime Request) - version 605, does not perform the necessary authorization checks for an authenticated user which may result in an escalation of privileges. It is possible to manipulate the URLs of data requests to access information that the user should not have access to. There is no impact on integrity and availability. La aplicación SAP Fiori (Mi solicitud de horas extras), versión 605, no realiza las comprobaciones de autorización necesarias para un usuario autenticado, lo que puede dar lugar a una escalada de privilegios. Es posible manipular las URL de solicitudes de datos para acceder a información a la que el usuario no debería tener acceso. • https://me.sap.com/notes/3237638 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-862: Missing Authorization •
CVE-2024-25642 – Improper Certificate Validation in SAP Cloud Connector
https://notcve.org/view.php?id=CVE-2024-25642
Due to improper validation of certificate in SAP Cloud Connector - version 2.0, attacker can impersonate the genuine servers to interact with SCC breaking the mutual authentication. Hence, the attacker can intercept the request to view/modify sensitive information. There is no impact on the availability of the system. Debido a una validación incorrecta del certificado en SAP Cloud Connector - versión 2.0, el atacante puede hacerse pasar por los servidores genuinos para interactuar con SCC rompiendo la autenticación mutua. Por lo tanto, el atacante puede interceptar la solicitud para ver/modificar información confidencial. • http://seclists.org/fulldisclosure/2024/May/26 https://me.sap.com/notes/3424610 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-295: Improper Certificate Validation •
CVE-2024-24743 – XXE vulnerability in SAP NetWeaver AS Java (Guided Procedures)
https://notcve.org/view.php?id=CVE-2024-24743
SAP NetWeaver AS Java (CAF - Guided Procedures) - version 7.50, allows an unauthenticated attacker to submit a malicious request with a crafted XML file over the network, which when parsed will enable him to access sensitive files and data but not modify them. There are expansion limits in place so that availability is not affected. SAP NetWeaver AS Java (CAF - Procedimientos guiados): versión 7.50, permite a un atacante no autenticado enviar una solicitud maliciosa con un archivo XML manipulado a través de la red, que cuando se analiza le permitirá acceder a archivos y datos confidenciales, pero no modificarlos. Existen límites de expansión establecidos para que la disponibilidad no se vea afectada. • https://me.sap.com/notes/3426111 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-611: Improper Restriction of XML External Entity Reference •
CVE-2024-24742 – Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI)
https://notcve.org/view.php?id=CVE-2024-24742
SAP CRM WebClient UI - version S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, WEBCUIF 701, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800, WEBCUIF 801, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. An attacker with low privileges can cause limited impact to integrity of the application data after successful exploitation. There is no impact on confidentiality and availability. UI de SAP CRM WebClient: versión S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, WEBCUIF 701, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800, WEBCUIF 801, no codifica suficientemente las entradas controladas por el usuario , lo que resulta en una vulnerabilidad de Cross-Site Scripting (XSS). Un atacante con pocos privilegios puede causar un impacto limitado en la integridad de los datos de la aplicación después de una explotación exitosa. • https://me.sap.com/notes/3158455 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2024-24740 – Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP (SAP Kernel)
https://notcve.org/view.php?id=CVE-2024-24740
SAP NetWeaver Application Server (ABAP) - versions KERNEL 7.53, KERNEL 7.54, KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.93, KERNEL 7.94, KRNL64UC 7.53, under certain conditions, allows an attacker to access information which could otherwise be restricted with low impact on confidentiality of the application. SAP NetWeaver Application Server (ABAP): versiones KERNEL 7.53, KERNEL 7.54, KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.93, KERNEL 7.94, KRNL64UC 7.53, bajo ciertas condiciones, permite a un atacante acceder a información que de otro modo podría estar restringida con baja impacto en la confidencialidad de la solicitud. • https://me.sap.com/notes/3360827 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-732: Incorrect Permission Assignment for Critical Resource •