CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-33985 – Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal
https://notcve.org/view.php?id=CVE-2023-33985
13 Jun 2023 — SAP NetWeaver Enterprise Portal - version 7.50, does not sufficiently encode user-controlled inputs over the network, resulting in reflected Cross-Site Scripting (XSS) vulnerability, therefore changing the scope of the attack. On successful exploitation, an attacker can view or modify information causing a limited impact on confidentiality and integrity of the application. • https://launchpad.support.sap.com/#/notes/3331627 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-33984 – Cross-Site Scripting (XSS) vulnerability in NetWeaver (Design Time Repository)
https://notcve.org/view.php?id=CVE-2023-33984
13 Jun 2023 — SAP NetWeaver (Design Time Repository) - version 7.50, returns an unfavorable content type for some versioned files, which could allow an authorized attacker to create a file with a malicious content and send a link to a victim in an email or instant message. Under certain circumstances, this could lead to Cross-Site Scripting vulnerability. • https://launchpad.support.sap.com/#/notes/3318657 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 7EXPL: 0CVE-2023-32115 – SQL Injection in Master Data Synchronization (MDS COMPARE TOOL)
https://notcve.org/view.php?id=CVE-2023-32115
13 Jun 2023 — An attacker can exploit MDS COMPARE TOOL and use specially crafted inputs to read and modify database commands, resulting in the retrieval of additional information persisted by the system. • https://launchpad.support.sap.com/#/notes/1794761 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 3.3EPSS: 0%CPEs: 11EXPL: 0CVE-2023-32114 – Denial of Service in SAP NetWeaver
https://notcve.org/view.php?id=CVE-2023-32114
13 Jun 2023 — SAP NetWeaver (Change and Transport System) - versions 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, allows an authenticated user with admin privileges to maliciously run a benchmark program repeatedly in intent to slowdown or make the server unavailable which may lead to a limited impact on Availability with No impact on Confidentiality and Integrity of the application. • https://launchpad.support.sap.com/#/notes/3325642 • CWE-400: Uncontrolled Resource Consumption CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 7.9EPSS: 0%CPEs: 2EXPL: 0CVE-2023-2827 – Missing Authentication in SAP Plant Connectivity and Production Connector for SAP Digital
https://notcve.org/view.php?id=CVE-2023-2827
13 Jun 2023 — SAP Plant Connectivity - version 15.5 (PCo) or the Production Connector for SAP Digital Manufacturing - version 1.0, do not validate the signature of the JSON Web Token (JWT) in the HTTP request sent from SAP Digital Manufacturing. Therefore, unauthorized callers from the internal network could send service requests to PCo or the Production Connector, which could have an impact on the integrity of the integration with SAP Digital Manufacturing. • https://launchpad.support.sap.com/#/notes/3301942 • CWE-306: Missing Authentication for Critical Function •
CVSS: 5.5EPSS: 0%CPEs: 11EXPL: 0CVE-2023-32112 – Missing Authorization Check in Vendor Master Hierarchy
https://notcve.org/view.php?id=CVE-2023-32112
09 May 2023 — Vendor Master Hierarchy - versions SAP_APPL 500, SAP_APPL 600, SAP_APPL 602, SAP_APPL 603, SAP_APPL 604, SAP_APPL 605, SAP_APPL 606, SAP_APPL 616, SAP_APPL 617, SAP_APPL 618, S4CORE 100, does not perform necessary authorization checks for an authenticated user to access some of its function. This could lead to modification of data impacting the integrity of the system. Vendor Master Hierarchy - versions SAP_APPL 500, SAP_APPL 600, SAP_APPL 602, SAP_APPL 603, SAP_APPL 604, SAP_APPL 605, SAP_APPL 606, SAP_APP... • https://launchpad.support.sap.com/#/notes/2335198 • CWE-862: Missing Authorization •
CVSS: 9.4EPSS: 0%CPEs: 15EXPL: 0CVE-2023-32113 – Information Disclosure vulnerability in SAP GUI for Windows
https://notcve.org/view.php?id=CVE-2023-32113
09 May 2023 — SAP GUI for Windows - version 7.70, 8.0, allows an unauthorized attacker to gain NTLM authentication information of a victim by tricking it into clicking a prepared shortcut file. Depending on the authorizations of the victim, the attacker can read and modify potentially sensitive information after successful exploitation. • https://launchpad.support.sap.com/#/notes/3320467 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-32111 – Memory Corruption vulnerability in SAP PowerDesigner (Proxy)
https://notcve.org/view.php?id=CVE-2023-32111
09 May 2023 — In SAP PowerDesigner (Proxy) - version 16.7, an attacker can send a crafted request from a remote host to the proxy machine and crash the proxy server, due to faulty implementation of memory management causing a memory corruption. This leads to a high impact on availability of the application. • https://launchpad.support.sap.com/#/notes/3300624 • CWE-787: Out-of-bounds Write •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2023-31407 – Cross-Site Scripting (XSS) vulnerability in SAP Business Planning and Consolidation
https://notcve.org/view.php?id=CVE-2023-31407
09 May 2023 — SAP Business Planning and Consolidation - versions 740, 750, allows an authorized attacker to upload a malicious file, resulting in Cross-Site Scripting vulnerability. After successful exploitation, an attacker can cause limited impact on confidentiality and integrity of the application. • https://launchpad.support.sap.com/#/notes/3312892 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 0CVE-2023-31406 – Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform
https://notcve.org/view.php?id=CVE-2023-31406
09 May 2023 — Due to insufficient input validation, SAP BusinessObjects Business Intelligence Platform - versions 420, 430, allows an unauthenticated attacker to redirect users to untrusted site using a malicious link. On successful exploitation, an attacker can view or modify information causing a limited impact on confidentiality and integrity of the application. • https://launchpad.support.sap.com/#/notes/3319400 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •