CVSS: 6.5EPSS: 0%CPEs: 7EXPL: 0CVE-2024-30218 – Denial of service (DOS) vulnerability in SAP NetWeaver AS ABAP and ABAP Platform
https://notcve.org/view.php?id=CVE-2024-30218
The ABAP Application Server of SAP NetWeaver as well as ABAP Platform allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service. This leads to a considerable impact on availability. El servidor de aplicaciones ABAP de SAP NetWeaver, así como la plataforma ABAP, permiten a un atacante impedir que usuarios legítimos accedan a un servicio, ya sea bloqueando o inundando el servicio. Esto tiene un impacto considerable en la disponibilidad. • https://me.sap.com/notes/3359778 https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html?anchorId=section_370125364 • CWE-400: Uncontrolled Resource Consumption CWE-605: Multiple Binds to the Same Port •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-27900 – Missing Authorization check in SAP ABAP Platform
https://notcve.org/view.php?id=CVE-2024-27900
Due to missing authorization check, attacker with business user account in SAP ABAP Platform - version 758, 795, can change the privacy setting of job templates from shared to private. As a result, the selected template would only be accessible to the owner. Debido a la falta de verificación de autorización, un atacante con cuenta de usuario empresarial en SAP ABAP Platform (versión 758, 795) puede cambiar la configuración de privacidad de las plantillas de trabajo de compartida a privada. Como resultado, solo el propietario podrá acceder a la plantilla seleccionada. • https://me.sap.com/notes/3419022 https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html?anchorId=section_370125364 • CWE-862: Missing Authorization •
CVSS: 5.4EPSS: 0%CPEs: 9EXPL: 0CVE-2023-29110 – Code Injection vulnerability in SAP Application Interface Framework (Message Dashboard)
https://notcve.org/view.php?id=CVE-2023-29110
The SAP Application Interface (Message Dashboard) - versions AIF 703, AIFX 702, S4CORE 100, 101, SAP_BASIS 755, 756, SAP_ABA 75C, 75D, 75E, application allows the usage HTML tags. An authorized attacker can use some of the basic HTML codes such as heading, basic formatting and lists, then an attacker can inject images from the foreign domains. After successful exploitations, an attacker can cause limited impact on the confidentiality and integrity of the application. • https://launchpad.support.sap.com/#/notes/3113349 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 4.6EPSS: 0%CPEs: 8EXPL: 0CVE-2023-29109 – Code Injection vulnerability in SAP Application Interface Framework (Message Dashboard)
https://notcve.org/view.php?id=CVE-2023-29109
The SAP Application Interface Framework (Message Dashboard) - versions AIF 703, AIFX 702, S4CORE 101, SAP_BASIS 755, 756, SAP_ABA 75C, 75D, 75E, application allows an Excel formula injection. An authorized attacker can inject arbitrary Excel formulas into fields like the Tooltip of the Custom Hints List. Once the victim opens the downloaded Excel document, the formula will be executed. As a result, an attacker can cause limited impact on the confidentiality and integrity of the application. • https://launchpad.support.sap.com/#/notes/3115598 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 5.3EPSS: 0%CPEs: 5EXPL: 0CVE-2023-29108 – IP filter vulnerability in ABAP Platform and SAP Web Dispatcher
https://notcve.org/view.php?id=CVE-2023-29108
The IP filter in ABAP Platform and SAP Web Dispatcher - versions WEBDISP 7.85, 7.89, KERNEL 7.85, 7.89, 7.91, may be vulnerable by erroneous IP netmask handling. This may enable access to backend applications from unwanted sources. • https://launchpad.support.sap.com/#/notes/3315312 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-923: Improper Restriction of Communication Channel to Intended Endpoints •