Page 2 of 49 results (0.005 seconds)

CVSS: 6.1EPSS: 0%CPEs: 11EXPL: 0

SAP GUI for HTML - versions KERNEL 7.22, 7.53, 7.54, 7.77, 7.81, 7.85, 7.89, 7.91, KRNL64UC, 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT does not sufficiently encode user-controlled inputs, resulting in a reflected Cross-Site Scripting (XSS) vulnerability. An attacker could craft a malicious URL and lure the victim to click, the script supplied by the attacker will execute in the victim user's browser. The information from the victim's web browser can either be modified or read and sent to the attacker. • https://launchpad.support.sap.com/#/notes/3275458 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 9.8EPSS: 0%CPEs: 27EXPL: 0

SAP NetWeaver ABAP Server and ABAP Platform - versions SAP_BASIS 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, KERNEL 7.22, 7.53, 7.77, 7.81, 7.85, 7.89, KRNL64UC 7.22, 7.22EXT, 7.53, KRNL64NUC 7.22, 7.22EXT, creates information about system identity in an ambiguous format. This could lead to capture-replay vulnerability and may be exploited by malicious users to obtain illegitimate access to the system. • https://launchpad.support.sap.com/#/notes/3089413 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-294: Authentication Bypass by Capture-replay •

CVSS: 5.4EPSS: 0%CPEs: 11EXPL: 0

An attacker with basic business user privileges could craft and upload a malicious file to SAP NetWeaver Application Server ABAP, which is then downloaded and viewed by other users resulting in a stored Cross-Site-Scripting attack. This could lead to information disclosure including stealing authentication information and impersonating the affected user. Un atacante con privilegios básicos de usuario de negocio podría diseñar y cargar un archivo malicioso en SAP NetWeaver Application Server ABAP, que luego es descargado y visualizado por otros usuarios, dando lugar a un ataque de tipo Cross-Site-Scripting almacenado. Esto podría conllevar a una divulgación de información, incluyendo el robo de información de autenticación y una suplantación del usuario afectado • https://launchpad.support.sap.com/#/notes/3218177 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.0EPSS: 0%CPEs: 16EXPL: 2

SAP startservice - of SAP NetWeaver Application Server ABAP, Application Server Java, ABAP Platform and HANA Database - versions KERNEL 7.22, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, 7.88, KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC 7.22, 7.22EXT, 7.49, 7.53, SAPHOSTAGENT 7.22, - on Unix systems, s-bit helper program sapuxuserchk, can be abused physically resulting in a privilege escalation of an attacker leading to low impact on confidentiality and integrity, but a profound impact on availability. SAP startservice - de SAP NetWeaver Application Server ABAP, Application Server Java, ABAP Platform y HANA Database - versiones KERNEL versiones 7.22, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, 7.88, KRNL64NUC 7.22, 7.22EXT, 7.49 49, 7.53, SAPHOSTAGENT 7.22, - en los sistemas Unix, el programa de ayuda s-bit sapuxuserchk, puede ser abusado físicamente resultando en una escalada de privilegios de un atacante que conlleva a un bajo impacto en la confidencialidad e integridad, pero un profundo impacto en la disponibilidad SAPControl Web Service Interface (sapstartsrv) suffers from a privilege escalation vulnerability via a race condition. • http://packetstormsecurity.com/files/168409/SAP-SAPControl-Web-Service-Interface-Local-Privilege-Escalation.html http://seclists.org/fulldisclosure/2022/Sep/18 https://launchpad.support.sap.com/#/notes/3158619 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-269: Improper Privilege Management •

CVSS: 4.3EPSS: 0%CPEs: 18EXPL: 0

SAP NetWeaver, ABAP Platform and SAP Host Agent - versions KERNEL 7.22, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, 7.88, 8.04, KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC 7.22, 7.22EXT, 7.49, 7.53, 8.04, SAPHOSTAGENT 7.22, allows an authenticated user to misuse a function of sapcontrol webfunctionality(startservice) in Kernel which enables malicious users to retrieve information. On successful exploitation, an attacker can obtain technical information like system number or physical address, which is otherwise restricted, causing a limited impact on the confidentiality of the application. SAP NetWeaver, ABAP Platform y SAP Host Agent - versiones KERNEL 7.22, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, 7.88, 8.04, KRNL64NUC 7.22, 7.22EXT, 7.49 53, 8.04, SAPHOSTAGENT 7.22, permite a un usuario autenticado hacer un uso no debido de una función de sapcontrol webfunctionality(startservice) en el Kernel que permite a usuarios maliciosos recuperar información. Si es explotado con éxito, un atacante puede obtener información técnica como el número de sistema o la dirección física, que de otro modo está restringida, causando un impacto limitado en la confidencialidad de la aplicación • https://launchpad.support.sap.com/#/notes/3194674 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-918: Server-Side Request Forgery (SSRF) •