CVSS: 6.8EPSS: 0%CPEs: 15EXPL: 0CVE-2023-37492 – Missing Authorization check in SAP NetWeaver AS ABAP and ABAP Platform
https://notcve.org/view.php?id=CVE-2023-37492
08 Aug 2023 — SAP NetWeaver Application Server ABAP and ABAP Platform - versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 793, SAP_BASIS 804, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This could allow an attacker to read sensitive information which can be used in a subsequent serious attac... • https://me.sap.com/notes/3348000 • CWE-862: Missing Authorization CWE-863: Incorrect Authorization •
CVSS: 9.0EPSS: 0%CPEs: 9EXPL: 0CVE-2023-37491 – Improper Authorization check vulnerability in SAP Message Server
https://notcve.org/view.php?id=CVE-2023-37491
08 Aug 2023 — The ACL (Access Control List) of SAP Message Server - versions KERNEL 7.22, KERNEL 7.53, KERNEL 7.54, KERNEL 7.77, RNL64UC 7.22, RNL64UC 7.22EXT, RNL64UC 7.53, KRNL64NUC 7.22, KRNL64NUC 7.22EXT, can be bypassed in certain conditions, which may enable an authenticated malicious user to enter the network of the SAP systems served by the attacked SAP Message server. This may lead to unauthorized read and write of data as well as rendering the system unavailable. The ACL (Access Control List) of SAP Message Ser... • https://me.sap.com/notes/3344295 • CWE-285: Improper Authorization CWE-863: Incorrect Authorization •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2023-37490 – Binary hijack in SAP BusinessObjects Business Intelligence (Installer)
https://notcve.org/view.php?id=CVE-2023-37490
08 Aug 2023 — SAP Business Objects Installer - versions 420, 430, allows an authenticated attacker within the network to overwrite an executable file created in a temporary directory during the installation process. On replacing this executable with a malicious file, an attacker can completely compromise the confidentiality, integrity, and availability of the system • https://me.sap.com/notes/3317710 • CWE-427: Uncontrolled Search Path Element •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-37488 – Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Process Integration
https://notcve.org/view.php?id=CVE-2023-37488
08 Aug 2023 — In SAP NetWeaver Process Integration - versions SAP_XIESR 7.50, SAP_XITOOL 7.50, SAP_XIAF 7.50, user-controlled inputs, if not sufficiently encoded, could result in Cross-Site Scripting (XSS) attack. On successful exploitation the attacker can cause limited impact on confidentiality and integrity of the system. In SAP NetWeaver Process Integration - versions SAP_XIESR 7.50, SAP_XITOOL 7.50, SAP_XIAF 7.50, user-controlled inputs, if not sufficiently encoded, could result in Cross-Site Scripting (XSS) attack.... • https://me.sap.com/notes/3350494 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-37487 – Security misconfiguration vulnerability in SAP Business One (Service Layer)
https://notcve.org/view.php?id=CVE-2023-37487
08 Aug 2023 — SAP Business One (Service Layer) - version 10.0, allows an authenticated attacker with deep knowledge perform certain operation to access unintended data over the network which could lead to high impact on confidentiality with no impact on integrity and availability of the application • https://me.sap.com/notes/3333616 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-37484 – Information Disclosure Vulnerabilities in SAP PowerDesigner
https://notcve.org/view.php?id=CVE-2023-37484
08 Aug 2023 — SAP PowerDesigner - version 16.7, queries all password hashes in the backend database and compares it with the user provided one during login attempt, which might allow an attacker to access password hashes from the client's memory. • https://me.sap.com/notes/3341460 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-37483 – Improper Access Control Vulnerabilities in SAP PowerDesigner
https://notcve.org/view.php?id=CVE-2023-37483
08 Aug 2023 — SAP PowerDesigner - version 16.7, has improper access control which might allow an unauthenticated attacker to run arbitrary queries against the back-end database via Proxy. • https://me.sap.com/notes/3341460 • CWE-284: Improper Access Control CWE-306: Missing Authentication for Critical Function •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-36926 – Information disclosure vulnerability in SAP Host Agent
https://notcve.org/view.php?id=CVE-2023-36926
08 Aug 2023 — Due to missing authentication check in SAP Host Agent - version 7.22, an unauthenticated attacker can set an undocumented parameter to a particular compatibility value and in turn call read functions. This allows the attacker to gather some non-sensitive information about the server. There is no impact on integrity or availability. Debido a la falta de comprobación de autenticación en SAP Host Agent - versión 7.22, un atacante no autenticado puede establecer un parámetro no documentado a un valor de compati... • https://me.sap.com/notes/3358328 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-287: Improper Authentication CWE-306: Missing Authentication for Critical Function •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-36923 – Code Injection vulnerability in SAP PowerDesigner
https://notcve.org/view.php?id=CVE-2023-36923
08 Aug 2023 — SAP SQLA for PowerDesigner 17 bundled with SAP PowerDesigner 16.7 SP06 PL03, allows an attacker with local access to the system, to place a malicious library, that can be executed by the application. An attacker could thereby control the behavior of the application. SAP SQLA for PowerDesigner 17 bundled with SAP PowerDesigner 16.7 SP06 PL03, allows an attacker with local access to the system, to place a malicious library, that can be executed by the application. An attacker could thereby control the behavio... • https://me.sap.com/notes/3341599 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-33993 – SQL Injection vulnerability in SAP Business One B1i Layer
https://notcve.org/view.php?id=CVE-2023-33993
08 Aug 2023 — B1i module of SAP Business One - version 10.0, application allows an authenticated user with deep knowledge to send crafted queries over the network to read or modify the SQL data. On successful exploitation, the attacker can cause high impact on confidentiality, integrity and availability of the application. • https://me.sap.com/notes/3337797 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •