CVE-2024-45284 – Missing authorization check in SAP Student Life Cycle Management (SLcM)
https://notcve.org/view.php?id=CVE-2024-45284
An authenticated attacker with high privilege can use functions of SLCM transactions to which access should be restricted. This may result in an escalation of privileges causing low impact on integrity of the application. • https://me.sap.com/notes/2256627 https://url.sap/sapsecuritypatchday • CWE-862: Missing Authorization •
CVE-2024-45283 – Information disclosure vulnerability in SAP NetWeaver AS for Java (Destination Service)
https://notcve.org/view.php?id=CVE-2024-45283
SAP NetWeaver AS for Java allows an authorized attacker to obtain sensitive information. The attacker could obtain the username and password when creating an RFC destination. After successful exploitation, an attacker can read the sensitive information but cannot modify or delete the data. • https://me.sap.com/notes/3477359 https://url.sap/sapsecuritypatchday • CWE-256: Plaintext Storage of a Password •
CVE-2024-45281 – DLL hijacking vulnerability in SAP BusinessObjects Business Intelligence Platform
https://notcve.org/view.php?id=CVE-2024-45281
SAP BusinessObjects Business Intelligence Platform allows a high privilege user to run client desktop applications even if some of the DLLs are not digitally signed or if the signature is broken. The attacker needs to have local access to the vulnerable system to perform DLL related tasks. This could result in a high impact on confidentiality and integrity of the application. • https://me.sap.com/notes/3425287 https://url.sap/sapsecuritypatchday • CWE-426: Untrusted Search Path •
CVE-2024-45280 – Cross-Site Scripting (XSS) Vulnerability in SAP NetWeaver AS Java (Logon Application)
https://notcve.org/view.php?id=CVE-2024-45280
Due to insufficient encoding of user-controlled inputs, SAP NetWeaver AS Java allows malicious scripts to be executed in the login application. This has a limited impact on confidentiality and integrity of the application. There is no impact on availability. • https://me.sap.com/notes/3505503 https://url.sap/sapsecuritypatchday • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2024-45279 – Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server for ABAP (CRM Blueprint Application Builder Panel)
https://notcve.org/view.php?id=CVE-2024-45279
Due to insufficient input validation, CRM Blueprint Application Builder Panel of SAP NetWeaver Application Server for ABAP allows an unauthenticated attacker to craft a URL link which could embed a malicious JavaScript. When a victim clicks on this link, the script will be executed in the victim's browser giving the attacker the ability to access and/or modify information with no effect on availability of the application. • https://me.sap.com/notes/3501359 https://url.sap/sapsecuritypatchday • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •