CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 2CVE-2022-26101 – SAP Fiori Launchpad Cross Site Scripting
https://notcve.org/view.php?id=CVE-2022-26101
Fiori launchpad - versions 754, 755, 756, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. Fiori launchpad - versiones 754, 755, 756, no codifica suficientemente las entradas controladas por el usuario, resultando en una vulnerabilidad de tipo cross-Site Scripting (XSS) The SAP Fiori launchpad suffers from a cross site scripting vulnerability. Various component versions are affected. • http://packetstormsecurity.com/files/167561/SAP-Fiori-Launchpad-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2022/Jun/39 https://dam.sap.com/mac/embed/public/pdf/a/ucQrx6G.htm?rc=10 https://launchpad.support.sap.com/#/notes/3149805 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.6EPSS: 0%CPEs: 1EXPL: 0CVE-2021-33699
https://notcve.org/view.php?id=CVE-2021-33699
Task Hijacking is a vulnerability that affects the applications running on Android devices due to a misconfiguration in their AndroidManifest.xml with their Task Control features. This allows an unauthorized attacker or malware to takeover legitimate apps and to steal user's sensitive information. Task Hijacking, es una vulnerabilidad que afecta a las aplicaciones que se ejecutan en dispositivos Android debido a una mala configuración en el archivo AndroidManifest.xml con sus funciones de Task Control. Esto permite a un atacante no autorizado o a un malware tomar el control de aplicaciones legítimas y robar información confidencial del usuario • https://launchpad.support.sap.com/#/notes/3067219 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806 •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-27605
https://notcve.org/view.php?id=CVE-2021-27605
SAP's HCM Travel Management Fiori Apps V2, version - 608, does not perform proper authorization check, allowing an authenticated but unauthorized attacker to read personnel numbers of employees, resulting in escalation of privileges. However, the attacker can only read some information like last name, first name of the employees, so there is some loss of confidential information, Integrity and Availability are not impacted. HCM Travel Management Fiori Apps V2 de SAP, versión - 608, no lleva a cabo una comprobación de autorización apropiada, permitiendo a un atacante autenticado pero no autorizado leer los números personales de los empleados, resultando en una escalada de privilegios. Sin embargo, el atacante solo puede leer determinada información como el apellido, el nombre de los empleados, por lo que hay determinada pérdida de información confidencial, la Integridad y Disponibilidad no están afectadas • https://launchpad.support.sap.com/#/notes/3025054 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=573801649 • CWE-862: Missing Authorization •
CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 0CVE-2020-26825
https://notcve.org/view.php?id=CVE-2020-26825
SAP Fiori Launchpad (News tile Application), versions - 750,751,752,753,754,755, allows an unauthorized attacker to use SAP Fiori Launchpad News tile Application to send malicious code, to a different end user (victim), because News tile does not sufficiently encode user controlled inputs, resulting in Reflected Cross-Site Scripting (XSS) vulnerability. Information maintained in the victim's web browser can be read, modified, and sent to the attacker. The malicious code cannot significantly impact the victim's browser and the victim can easily close the browser tab to terminate it. SAP Fiori Launchpad (News tile Application), versiones - 750,751,752,753,754,755, permite a un atacante no autorizado usar SAP Fiori Launchpad News tile Application para enviar código malicioso hacia un usuario final diferente (víctima), porque el mosaico News no codifica suficientemente las entradas controladas por el usuario. Resultando en la vulnerabilidad de tipo Cross-Site Scripting (XSS) Reflejado. • https://launchpad.support.sap.com/#/notes/2984627 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=562725571 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.6EPSS: 0%CPEs: 6EXPL: 0CVE-2020-26815
https://notcve.org/view.php?id=CVE-2020-26815
SAP Fiori Launchpad (News tile Application), versions - 750,751,752,753,754,755, allows an unauthorized attacker to send a crafted request to a vulnerable web application. It is usually used to target internal systems behind firewalls that are normally inaccessible to an attacker from the external network to retrieve sensitive / confidential resources which are otherwise restricted for internal usage only, resulting in a Server-Side Request Forgery vulnerability. SAP Fiori Launchpad (News tile Application), versiones: 750,751,752,753,754,755, permite a un atacante no autorizado enviar una petición diseñada hacia una aplicación web vulnerable. Usualmente, se usa para apuntar a sistemas internos detrás de firewalls que son normalmente inaccesibles para un atacante desde la red externa para recuperar recursos sensibles y confidenciales que de otro modo están restringidos solo para uso interno, resultando en una vulnerabilidad de tipo Server-Side Request Forgery • https://launchpad.support.sap.com/#/notes/2984627 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=562725571 • CWE-918: Server-Side Request Forgery (SSRF) •