CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-22126 – Cross Site Scripting vulnerability in SAP NetWeaver AS Java (User Admin Application)
https://notcve.org/view.php?id=CVE-2024-22126
The User Admin application of SAP NetWeaver AS for Java - version 7.50, insufficiently validates and improperly encodes the incoming URL parameters before including them into the redirect URL. This results in Cross-Site Scripting (XSS) vulnerability, leading to a high impact on confidentiality and mild impact on integrity and availability. La aplicación User Admin de SAP NetWeaver AS para Java, versión 7.50, no valida lo suficiente y codifica incorrectamente los parámetros de la URL entrante antes de incluirlos en la URL de redireccionamiento. Esto da como resultado una vulnerabilidad de Cross-Site Scripting (XSS), lo que genera un alto impacto en la confidencialidad y un impacto leve en la integridad y la disponibilidad. • https://me.sap.com/notes/3417627 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-42480 – Information Disclosure in NetWeaver AS Java Logon
https://notcve.org/view.php?id=CVE-2023-42480
The unauthenticated attacker in NetWeaver AS Java Logon application - version 7.50, can brute force the login functionality to identify the legitimate user ids. This will have an impact on confidentiality but there is no other impact on integrity or availability. El atacante no autenticado en la aplicación NetWeaver AS Java Logon versión 7.50 puede forzar la funcionalidad de inicio de sesión para identificar los ID de usuario legítimos. Esto tendrá un impacto en la confidencialidad, pero no hay ningún otro impacto en la integridad o disponibilidad. • https://me.sap.com/notes/3366410 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-42477 – Server-Side Request Forgery in SAP NetWeaver AS Java (GRMG Heartbeat application)
https://notcve.org/view.php?id=CVE-2023-42477
SAP NetWeaver AS Java (GRMG Heartbeat application) - version 7.50, allows an attacker to send a crafted request from a vulnerable web application, causing limited impact on confidentiality and integrity of the application. SAP NetWeaver AS Java (aplicación GRMG Heartbeat): versión 7.50, permite a un atacante enviar una solicitud manipulada desde una aplicación web vulnerable, lo que provoca un impacto limitado en la confidencialidad y la integridad de la aplicación. • https://me.sap.com/notes/3333426 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41367 – Missing Authentication check in SAP NetWeaver (Guided Procedures)
https://notcve.org/view.php?id=CVE-2023-41367
Due to missing authentication check in webdynpro application, an unauthorized user in SAP NetWeaver (Guided Procedures) - version 7.50, can gain access to admin view of specific function anonymously. On successful exploitation of vulnerability under specific circumstances, attacker can view user’s email address. There is no integrity/availability impact. Debido a la falta de verificación de autenticación en la aplicación webdynpro, un usuario no autorizado en SAP NetWeaver ((Guided Procedures) - versión 7.50, puede obtener acceso a la vista de administrador de la función específica de forma anónima. En la explotación exitosa de la vulnerabilidad en circunstancias específicas, el atacante puede ver la dirección de correo electrónico del usuario. • https://me.sap.com/notes/3348142 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-306: Missing Authentication for Critical Function •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-37488 – Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Process Integration
https://notcve.org/view.php?id=CVE-2023-37488
In SAP NetWeaver Process Integration - versions SAP_XIESR 7.50, SAP_XITOOL 7.50, SAP_XIAF 7.50, user-controlled inputs, if not sufficiently encoded, could result in Cross-Site Scripting (XSS) attack. On successful exploitation the attacker can cause limited impact on confidentiality and integrity of the system. • https://me.sap.com/notes/3350494 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •