CVE-2018-2380 – SAP Customer Relationship Management (CRM) Path Traversal Vulnerability
https://notcve.org/view.php?id=CVE-2018-2380
SAP CRM, 7.01, 7.02,7.30, 7.31, 7.33, 7.54, allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing "traverse to parent directory" are passed through to the file APIs. SAP CRM 7.01, 7.02, 7.30, 7.31, 7.33 y 7.54 permite que un atacante explote la validación insuficiente de la información de ruta proporcionada por los usuarios, por lo que los caracteres que representan "salto al directorio padre" se pasan a las API de archivo. SAP Customer Relationship Management (CRM) contains a path traversal vulnerability that allows an attacker to exploit insufficient validation of path information provided by users. • https://www.exploit-db.com/exploits/44292 https://github.com/erpscanteam/CVE-2018-2380 http://www.securityfocus.com/bid/103001 https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018 https://launchpad.support.sap.com/#/notes/2547431 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2018-2364
https://notcve.org/view.php?id=CVE-2018-2364
SAP CRM WebClient UI 7.01, 7.31, 7.46, 7.47, 7.48, 8.00, 8.01, S4FND 1.02, does not sufficiently validate and/or encode hidden fields, resulting in Cross-Site Scripting (XSS) vulnerability. SAP CRM WebClient UI 7.01, 7.31, 7.46, 7.47, 7.48, 8.00, 8.01 y S4FND 1.02, no valida suficientemente y/o codifica los campos ocultos, lo que resulta en una vulnerabilidad de Cross-Site Scripting (XSS). • http://www.securityfocus.com/bid/103002 https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018 https://launchpad.support.sap.com/#/notes/2541700 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-15294
https://notcve.org/view.php?id=CVE-2017-15294
The Java administration console in SAP CRM has XSS. This is SAP Security Note 2478964. La consola de administración Java en SAP CRM tiene XSS. Esto corresponde con SAP Security Note 2478964. • http://www.securityfocus.com/bid/99532 https://blogs.sap.com/2017/07/11/sap-security-patch-day-july-2017 https://erpscan.io/advisories/erpscan-17-035-xss-crm-administration-console-java • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-15296
https://notcve.org/view.php?id=CVE-2017-15296
The Java component in SAP CRM has CSRF. This is SAP Security Note 2478964. El componente Java en SAP CRM tiene CSRF. Esto corresponde con SAP Security Note 2478964. • https://blogs.sap.com/2017/07/11/sap-security-patch-day-july-2017 https://erpscan.io/advisories/erpscan-17-036-csrf-sap-java-crm • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2015-3979
https://notcve.org/view.php?id=CVE-2015-3979
Unspecified vulnerability in the Business Rules Framework (CRM-BF-BRF) in SAP CRM allows attackers to execute arbitrary code via unknown vectors, aka SAP Security Note 2097534. Vulnerabilidad no especificada en el Framework Business Rules (CRM-BF-BRF) en SAP CRM permite a atacantes ejecutar código arbitrario a través de vectores desconocidos, también conocido como la nota de seguridad de SAP 2097534. • http://www.onapsis.com/blog/analyzing-sap-security-notes-april-2015-edition http://www.securityfocus.com/bid/74626 http://www.securitytracker.com/id/1032309 •