CVSS: 5.0EPSS: 0%CPEs: 2EXPL: 0CVE-2023-31404 – Information Disclosure in SAP BusinessObjects Business Intelligence Platform (Central Management Service)
https://notcve.org/view.php?id=CVE-2023-31404
09 May 2023 — Under certain conditions, SAP BusinessObjects Business Intelligence Platform (Central Management Service) - versions 420, 430, allows an attacker to access information which would otherwise be restricted. Some users with specific privileges could have access to credentials of other users. It could let them access data sources which would otherwise be restricted. Under certain conditions, SAP BusinessObjects Business Intelligence Platform (Central Management Service) - versions 420, 430, allows an attacker t... • https://launchpad.support.sap.com/#/notes/3038911 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-30744 – Improper access control during application start-up in SAP AS NetWeaver JAVA.
https://notcve.org/view.php?id=CVE-2023-30744
09 May 2023 — In SAP AS NetWeaver JAVA - versions SERVERCORE 7.50, J2EE-FRMW 7.50, CORE-TOOLS 7.50, an unauthenticated attacker can attach to an open interface and make use of an open naming and directory API to instantiate an object which has methods which can be called without further authorization and authentication. A subsequent call to one of these methods can read or change the state of existing services without any effect on availability. • https://launchpad.support.sap.com/#/notes/3317453 • CWE-306: Missing Authentication for Critical Function •
CVSS: 7.1EPSS: 0%CPEs: 6EXPL: 0CVE-2023-30743 – Improper Neutralization of Input in SAPUI5
https://notcve.org/view.php?id=CVE-2023-30743
09 May 2023 — Due to improper neutralization of input in SAPUI5 - versions SAP_UI 750, SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, UI_700 200, sap.m.FormattedText SAPUI5 control allows injection of untrusted CSS. This blocks user’s interaction with the application. Further, in the absence of URL validation by the application, the vulnerability could lead to the attacker reading or modifying user’s information through phishing attack. • https://launchpad.support.sap.com/#/notes/3326210 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 14EXPL: 0CVE-2023-30742 – Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI)
https://notcve.org/view.php?id=CVE-2023-30742
09 May 2023 — SAP CRM (WebClient UI) - versions S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, S4FND 107, WEBCUIF 700, WEBCUIF 701, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800, WEBCUIF 801, does not sufficiently encode user-controlled inputs, resulting in a stored Cross-Site Scripting (XSS) vulnerability.An attacker could store a malicious URL and lure the victim to click, causing the script supplied by the attacker to execute in the victim user's session. The information from the victim's ses... • https://launchpad.support.sap.com/#/notes/3315971 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 0CVE-2023-30741 – Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform
https://notcve.org/view.php?id=CVE-2023-30741
09 May 2023 — Due to insufficient input validation, SAP BusinessObjects Business Intelligence Platform - versions 420, 430, allows an unauthenticated attacker to redirect users to untrusted site using a malicious link. On successful exploitation, an attacker can view or modify information causing a limited impact on confidentiality and integrity of the application. • https://launchpad.support.sap.com/#/notes/3309935 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.0EPSS: 0%CPEs: 2EXPL: 0CVE-2023-30740 – Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform
https://notcve.org/view.php?id=CVE-2023-30740
09 May 2023 — SAP BusinessObjects Business Intelligence Platform - versions 420, 430, allows an authenticated attacker to access sensitive information which is otherwise restricted. On successful exploitation, there could be a high impact on confidentiality, limited impact on integrity and availability of the application. • https://launchpad.support.sap.com/#/notes/3313484 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.5EPSS: 0%CPEs: 15EXPL: 0CVE-2023-29188 – Cross-Site Scripting (XSS) vulnerability in SAP CRM WebClient UI
https://notcve.org/view.php?id=CVE-2023-29188
09 May 2023 — SAP CRM WebClient UI - versions SAPSCORE 129, S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, S4FND 107, WEBCUIF 701, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800, WEBCUIF 801, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. After successful exploitation, an attacker with user level access can read and modify some sensitive information but cannot delete the data. • https://i7p.wdf.sap.corp/sap/support/notes/3315979 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.9EPSS: 0%CPEs: 2EXPL: 0CVE-2023-28764 – Information Disclosure vulnerability in SAP BusinessObjects Platform
https://notcve.org/view.php?id=CVE-2023-28764
09 May 2023 — SAP BusinessObjects Platform - versions 420, 430, Information design tool transmits sensitive information as cleartext in the binaries over the network. This could allow an unauthenticated attacker with deep knowledge to gain sensitive information such as user credentials and domain names, which may have a low impact on confidentiality and no impact on the integrity and availability of the system. • https://i7p.wdf.sap.corp/sap/support/notes/3302595 • CWE-522: Insufficiently Protected Credentials •
CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 0CVE-2023-28762 – Information Disclosure in SAP BusinessObjects Intelligence Platform
https://notcve.org/view.php?id=CVE-2023-28762
09 May 2023 — SAP BusinessObjects Business Intelligence Platform - versions 420, 430, allows an authenticated attacker with administrator privileges to get the login token of any logged-in BI user over the network without any user interaction. The attacker can impersonate any user on the platform resulting into accessing and modifying data. The attacker can also make the system partially or entirely unavailable. • https://launchpad.support.sap.com/#/notes/3307833 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.5EPSS: 0%CPEs: 13EXPL: 0CVE-2023-29189 – HTTP Verb Tampering vulnerability in SAP CRM (WebClient UI)
https://notcve.org/view.php?id=CVE-2023-29189
11 Apr 2023 — SAP CRM (WebClient UI) - versions S4FND 102, 103, 104, 105, 106, 107, WEBCUIF, 700, 701, 731, 730, 746, 747, 748, 800, 801, allows an authenticated attacker to modify HTTP verbs used in requests to the web server. This application is exposed over the network and successful exploitation can lead to exposure of form fields • https://launchpad.support.sap.com/#/notes/3269352 • CWE-23: Relative Path Traversal •