CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-50422 – Escalation of Privileges in SAP BTP Security Services Integration Library ([Java] cloud-security-services-integration-library)
https://notcve.org/view.php?id=CVE-2023-50422
SAP BTP Security Services Integration Library ([Java] cloud-security-services-integration-library) - versions below 2.17.0 and versions from 3.0.0 to before 3.3.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application. SAP BTP Security Services Integration Library ([Java] cloud-security-services-integration-library): las versiones inferiores a 2.17.0 y las versiones desde 3.0.0 hasta anteriores a 3.3.0 permiten, bajo ciertas condiciones, una escalada de privilegios. Si la explotación tiene éxito, un atacante no autenticado puede obtener permisos arbitrarios dentro de la aplicación. • https://blogs.sap.com/2023/12/12/unveiling-critical-security-updates-sap-btp-security-note-3411067 https://github.com/SAP/cloud-security-services-integration-library https://github.com/SAP/cloud-security-services-integration-library/security/advisories/GHSA-59c9-pxq8-9c73 https://me.sap.com/notes/3411067 https://me.sap.com/notes/3413475 https://mvnrepository.com/artifact/com.sap.cloud.security.xsuaa/spring-xsuaa https://mvnrepository.com/artifact/com.sap.cloud.security/java-security https://mvnrepo • CWE-269: Improper Privilege Management CWE-749: Exposed Dangerous Method or Function •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-49583 – Escalation of Privileges in SAP BTP Security Services Integration Library ([Node.js] @sap/xssec)
https://notcve.org/view.php?id=CVE-2023-49583
SAP BTP Security Services Integration Library ([Node.js] @sap/xssec - versions < 3.6.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application. SAP BTP Security Services Integration Library ([Node.js] @sap/xssec - versiones < 3.6.0, permiten bajo ciertas condiciones una escalada de privilegios. Si se explota con éxito, un atacante no autenticado puede obtener permisos arbitrarios dentro de la aplicación. • https://blogs.sap.com/2023/12/12/unveiling-critical-security-updates-sap-btp-security-note-3411067 https://me.sap.com/notes/3411067 https://me.sap.com/notes/3412456 https://me.sap.com/notes/3413475 https://www.npmjs.com/package/@sap/xssec https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-269: Improper Privilege Management CWE-749: Exposed Dangerous Method or Function •
CVSS: 9.4EPSS: 0%CPEs: 4EXPL: 0CVE-2023-49581 – SQL Injection vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform
https://notcve.org/view.php?id=CVE-2023-49581
SAP GUI for Windows and SAP GUI for Java allow an unauthenticated attacker to access information which would otherwise be restricted and confidential. In addition, this vulnerability allows the unauthenticated attacker to write data to a database table. By doing so the attacker could increase response times of the AS ABAP, leading to mild impact on availability. SAP GUI para Windows y SAP GUI para Java permiten que un atacante no autenticado acceda a información que de otro modo estaría restringida y confidencial. Además, esta vulnerabilidad permite que un atacante no autenticado escriba datos en una tabla de base de datos. • https://me.sap.com/notes/3392547 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.3EPSS: 0%CPEs: 8EXPL: 0CVE-2023-49580 – Information disclosure in SAP GUI for Windows and SAP GUI for Java
https://notcve.org/view.php?id=CVE-2023-49580
SAP GUI for Windows and SAP GUI for Java - versions SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, allow an unauthenticated attacker to access information which would otherwise be restricted and confidential. In addition, this vulnerability allows the unauthenticated attacker to create Layout configurations of the ABAP List Viewer and with this causing a mild impact on integrity and availability, e.g. also increasing the response times of the AS ABAP. SAP GUI para Windows y SAP GUI para Java: versiones SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, permiten que un atacante no autenticado acceda a información que de otro modo estaría restringida y confidencial. Además, esta vulnerabilidad permite que un atacante no autenticado cree configuraciones de diseño de ABAP List Viewer y con esto causa un impacto leve en la integridad y la disponibilidad, por ejemplo, también aumenta los tiempos de respuesta del AS ABAP. • https://me.sap.com/notes/3385711 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 3.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-49578 – Denial of service (DOS) in SAP Cloud Connector
https://notcve.org/view.php?id=CVE-2023-49578
SAP Cloud Connector - version 2.0, allows an authenticated user with low privilege to perform Denial of service attack from adjacent UI by sending a malicious request which leads to low impact on the availability and no impact on confidentiality or Integrity of the application. SAP Cloud Connector: versión 2.0, permite a un usuario autenticado con privilegios bajos realizar un ataque de denegación de servicio desde la interfaz de usuario adyacente mediante el envío de una solicitud maliciosa que genera un impacto bajo en la disponibilidad y ningún impacto en la confidencialidad o integridad de la aplicación. • https://me.sap.com/notes/3362463 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-400: Uncontrolled Resource Consumption CWE-732: Incorrect Permission Assignment for Critical Resource •