CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-37487 – Security misconfiguration vulnerability in SAP Business One (Service Layer)
https://notcve.org/view.php?id=CVE-2023-37487
SAP Business One (Service Layer) - version 10.0, allows an authenticated attacker with deep knowledge perform certain operation to access unintended data over the network which could lead to high impact on confidentiality with no impact on integrity and availability of the application • https://me.sap.com/notes/3333616 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-37484 – Information Disclosure Vulnerabilities in SAP PowerDesigner
https://notcve.org/view.php?id=CVE-2023-37484
SAP PowerDesigner - version 16.7, queries all password hashes in the backend database and compares it with the user provided one during login attempt, which might allow an attacker to access password hashes from the client's memory. • https://me.sap.com/notes/3341460 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-37483 – Improper Access Control Vulnerabilities in SAP PowerDesigner
https://notcve.org/view.php?id=CVE-2023-37483
SAP PowerDesigner - version 16.7, has improper access control which might allow an unauthenticated attacker to run arbitrary queries against the back-end database via Proxy. • https://me.sap.com/notes/3341460 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-284: Improper Access Control CWE-306: Missing Authentication for Critical Function •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-36926 – Information disclosure vulnerability in SAP Host Agent
https://notcve.org/view.php?id=CVE-2023-36926
Due to missing authentication check in SAP Host Agent - version 7.22, an unauthenticated attacker can set an undocumented parameter to a particular compatibility value and in turn call read functions. This allows the attacker to gather some non-sensitive information about the server. There is no impact on integrity or availability. Debido a la falta de comprobación de autenticación en SAP Host Agent - versión 7.22, un atacante no autenticado puede establecer un parámetro no documentado a un valor de compatibilidad particular y a su vez llamar a funciones de lectura. Esto permite al atacante recopilar información no sensible sobre el servidor. • https://me.sap.com/notes/3358328 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-287: Improper Authentication CWE-306: Missing Authentication for Critical Function •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-36923 – Code Injection vulnerability in SAP PowerDesigner
https://notcve.org/view.php?id=CVE-2023-36923
SAP SQLA for PowerDesigner 17 bundled with SAP PowerDesigner 16.7 SP06 PL03, allows an attacker with local access to the system, to place a malicious library, that can be executed by the application. An attacker could thereby control the behavior of the application. • https://me.sap.com/notes/3341599 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-94: Improper Control of Generation of Code ('Code Injection') •