CVE-2024-44115 – Multiple vulnerabilities in SAP NetWeaver Application Server for ABAP and ABAP Platform
https://notcve.org/view.php?id=CVE-2024-44115
The RFC enabled function module allows a low privileged user to add URLs to any user's workplace favourites. This vulnerability could be utilized to identify usernames and access information about targeted user's workplaces, and nodes. There is low impact on integrity of the application • https://me.sap.com/notes/3488039 https://url.sap/sapsecuritypatchday • CWE-862: Missing Authorization •
CVE-2024-42380 – Multiple vulnerabilities in SAP NetWeaver Application Server for ABAP and ABAP Platform
https://notcve.org/view.php?id=CVE-2024-42380
The RFC enabled function module allows a low privileged user to read any user's workplace favourites and user menu along with all the specific data of each node. Usernames can be enumerated by exploiting vulnerability. There is low impact on confidentiality of the application. • https://me.sap.com/notes/3488039 https://url.sap/sapsecuritypatchday • CWE-862: Missing Authorization •
CVE-2024-42371 – Multiple vulnerabilities in SAP NetWeaver Application Server for ABAP and ABAP Platform
https://notcve.org/view.php?id=CVE-2024-42371
The RFC enabled function module allows a low privileged user to delete the workplace favourites of any user. This vulnerability could be utilized to identify usernames and access information about targeted user's workplaces and nodes. There is low impact on integrity and availability of the application. • https://me.sap.com/notes/3488039 https://url.sap/sapsecuritypatchday • CWE-862: Missing Authorization •
CVE-2024-21738 – Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver ABAP Application Server and ABAP Platform
https://notcve.org/view.php?id=CVE-2024-21738
SAP NetWeaver ABAP Application Server and ABAP Platform do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. An attacker with low privileges can cause limited impact to confidentiality of the application data after successful exploitation. SAP NetWeaver ABAP Application Server y ABAP Platform no codifican suficientemente las entradas controladas por el usuario, lo que genera una vulnerabilidad de Cross-Site Scripting (XSS). Un atacante con pocos privilegios puede causar un impacto limitado en la confidencialidad de los datos de la aplicación después de una explotación exitosa. • https://me.sap.com/notes/3387737 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-37492 – Missing Authorization check in SAP NetWeaver AS ABAP and ABAP Platform
https://notcve.org/view.php?id=CVE-2023-37492
SAP NetWeaver Application Server ABAP and ABAP Platform - versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 793, SAP_BASIS 804, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This could allow an attacker to read sensitive information which can be used in a subsequent serious attack. • https://me.sap.com/notes/3348000 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-862: Missing Authorization CWE-863: Incorrect Authorization •