CVSS: 6.6EPSS: 6%CPEs: 6EXPL: 3CVE-2018-2380 – SAP Customer Relationship Management (CRM) Path Traversal Vulnerability
https://notcve.org/view.php?id=CVE-2018-2380
01 Mar 2018 — SAP CRM, 7.01, 7.02,7.30, 7.31, 7.33, 7.54, allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing "traverse to parent directory" are passed through to the file APIs. SAP CRM 7.01, 7.02, 7.30, 7.31, 7.33 y 7.54 permite que un atacante explote la validación insuficiente de la información de ruta proporcionada por los usuarios, por lo que los caracteres que representan "salto al directorio padre" se pasan a las API de archivo. SAP Customer Rel... • https://packetstorm.news/files/id/146820 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.1EPSS: 0%CPEs: 8EXPL: 0CVE-2018-2364
https://notcve.org/view.php?id=CVE-2018-2364
14 Feb 2018 — SAP CRM WebClient UI 7.01, 7.31, 7.46, 7.47, 7.48, 8.00, 8.01, S4FND 1.02, does not sufficiently validate and/or encode hidden fields, resulting in Cross-Site Scripting (XSS) vulnerability. SAP CRM WebClient UI 7.01, 7.31, 7.46, 7.47, 7.48, 8.00, 8.01 y S4FND 1.02, no valida suficientemente y/o codifica los campos ocultos, lo que resulta en una vulnerabilidad de Cross-Site Scripting (XSS). • http://www.securityfocus.com/bid/103002 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 8EXPL: 0CVE-2017-15294
https://notcve.org/view.php?id=CVE-2017-15294
16 Oct 2017 — The Java administration console in SAP CRM has XSS. This is SAP Security Note 2478964. La consola de administración Java en SAP CRM tiene XSS. Esto corresponde con SAP Security Note 2478964. • http://www.securityfocus.com/bid/99532 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 8EXPL: 0CVE-2017-15296
https://notcve.org/view.php?id=CVE-2017-15296
16 Oct 2017 — The Java component in SAP CRM has CSRF. This is SAP Security Note 2478964. El componente Java en SAP CRM tiene CSRF. Esto corresponde con SAP Security Note 2478964. • https://blogs.sap.com/2017/07/11/sap-security-patch-day-july-2017 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2015-3980
https://notcve.org/view.php?id=CVE-2015-3980
12 May 2015 — SQL injection vulnerability in the Business Rules Framework (CRM-BF-BRF) in SAP CRM allows attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2097534. Vulnerabilidad de inyección SQL en el Framework Business Rules (CRM-BF-BRF) en SAP CRM permite a atacantes remotos ejecutar comandos SQL arbitrarios a través de vectores no especificados, también conocida como la nota de seguridad de SAP 2097534. • http://www.onapsis.com/blog/analyzing-sap-security-notes-april-2015-edition • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 0CVE-2015-3979
https://notcve.org/view.php?id=CVE-2015-3979
12 May 2015 — Unspecified vulnerability in the Business Rules Framework (CRM-BF-BRF) in SAP CRM allows attackers to execute arbitrary code via unknown vectors, aka SAP Security Note 2097534. Vulnerabilidad no especificada en el Framework Business Rules (CRM-BF-BRF) en SAP CRM permite a atacantes ejecutar código arbitrario a través de vectores desconocidos, también conocido como la nota de seguridad de SAP 2097534. • http://www.onapsis.com/blog/analyzing-sap-security-notes-april-2015-edition •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2014-8661
https://notcve.org/view.php?id=CVE-2014-8661
06 Nov 2014 — The SAP CRM Internet Sales module allows remote attackers to execute arbitrary commands via unspecified vectors. El módulo SAP CRM Internet Sales permite a atacantes remotos ejecutar código arbitrario a través de vectores no especificados. • http://blog.onapsis.com/analyzing-sap-security-notes-october-2014-edition • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 5%CPEs: 1EXPL: 0CVE-2014-8669
https://notcve.org/view.php?id=CVE-2014-8669
06 Nov 2014 — The SAP Promotion Guidelines (CRM-MKT-MPL-TPM-PPG) module for SAP CRM allows remote attackers to execute arbitrary code via unspecified vectors. El módulo SAP Promotion Guidelines (CRM-MKT-MPL-TPM-PPG) para SAP CRM permite a atacantes remotos ejecutar código arbitrario a través de vectores no especificados. • http://blog.onapsis.com/analyzing-sap-security-notes-october-2014-edition • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2014-1962
https://notcve.org/view.php?id=CVE-2014-1962
14 Feb 2014 — Gwsync in SAP CRM 7.02 EHP 2 allows remote attackers to obtain sensitive information via unspecified vectors, related to an XML External Entity (XXE) issue. Gwsync en SAP CRM 7.02 EHP 2 permite a atacantes remotos obtener información sensible a través de vectores no especificados, relacionado con un problema de XML External Entity (XXE). • http://scn.sap.com/docs/DOC-8218 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2013-7095
https://notcve.org/view.php?id=CVE-2013-7095
13 Dec 2013 — The XML parser (crm_flex_data) in SAP Customer Relationship Management (CRM) 7.02 EHP 2 has unknown impact and attack vectors related to an XML External Entity (XXE) issue. El analizador XML (crm_flex_data) en SAP Customer Relationship Management (CRM) 7.02 EHP tiene impacto desconocido y vectores de ataque relacionados problemas con la entidades externas XML (XXE). • http://scn.sap.com/docs/DOC-8218 •