CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-33993 – SQL Injection vulnerability in SAP Business One B1i Layer
https://notcve.org/view.php?id=CVE-2023-33993
B1i module of SAP Business One - version 10.0, application allows an authenticated user with deep knowledge to send crafted queries over the network to read or modify the SQL data. On successful exploitation, the attacker can cause high impact on confidentiality, integrity and availability of the application. • https://me.sap.com/notes/3337797 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2023-36925 – Unauthenticated blind SSRF in SAP Solution Manager (Diagnostics agent)
https://notcve.org/view.php?id=CVE-2023-36925
SAP Solution Manager (Diagnostics agent) - version 7.20, allows an unauthenticated attacker to blindly execute HTTP requests. On successful exploitation, the attacker can cause a limited impact on confidentiality and availability of the application and other applications the Diagnostics Agent can reach. • https://me.sap.com/notes/3352058 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 4.9EPSS: 0%CPEs: 13EXPL: 0CVE-2023-36924 – Log Injection vulnerability in SAP ERP Defense Forces and Public Security
https://notcve.org/view.php?id=CVE-2023-36924
While using a specific function, SAP ERP Defense Forces and Public Security - versions 600, 603, 604, 605, 616, 617, 618, 802, 803, 804, 805, 806, 807, allows an authenticated attacker with admin privileges to write arbitrary data to the syslog file. On successful exploitation, an attacker could modify all the syslog data causing a complete compromise of integrity of the application. • https://me.sap.com/notes/3351410 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-117: Improper Output Neutralization for Logs •
CVSS: 9.1EPSS: 0%CPEs: 15EXPL: 0CVE-2023-36922 – OS command injection vulnerability in SAP ECC and SAP S/4HANA (IS-OIL)
https://notcve.org/view.php?id=CVE-2023-36922
Due to programming error in function module and report, IS-OIL component in SAP ECC and SAP S/4HANA allows an authenticated attacker to inject an arbitrary operating system command into an unprotected parameter in a common (default) extension. On successful exploitation, the attacker can read or modify the system data as well as shut down the system. • https://me.sap.com/notes/3350297 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2023-36921 – Header Injection in SAP Solution Manager (Diagnostic Agent)
https://notcve.org/view.php?id=CVE-2023-36921
SAP Solution Manager (Diagnostics agent) - version 7.20, allows an attacker to tamper with headers in a client request. This misleads SAP Diagnostics Agent to serve poisoned content to the server. On successful exploitation, the attacker can cause a limited impact on confidentiality and availability of the application. • https://me.sap.com/notes/3348145 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-116: Improper Encoding or Escaping of Output CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax •