CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2022-41263
https://notcve.org/view.php?id=CVE-2022-41263
12 Dec 2022 — Due to a missing authentication check, SAP Business Objects Business Intelligence Platform (Web Intelligence) - versions 420, 430, allows an authenticated non-administrator attacker to modify the data source information for a document that is otherwise restricted. On successful exploitation, the attacker can modify information causing a limited impact on the integrity of the application. • https://launchpad.support.sap.com/#/notes/3249648 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-41262
https://notcve.org/view.php?id=CVE-2022-41262
12 Dec 2022 — Due to insufficient input validation, SAP NetWeaver AS Java (HTTP Provider Service) - version 7.50, allows an unauthenticated attacker to inject a script into a web request header. On successful exploitation, an attacker can view or modify information causing a limited impact on the confidentiality and integrity of the application. Debido a una validación de entrada insuficiente, SAP NetWeaver AS Java (HTTP Provider Service), versión 7.50, permite a un atacante no autenticado inyectar un script en un encabe... • https://launchpad.support.sap.com/#/notes/3262544 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.0EPSS: 0%CPEs: 2EXPL: 0CVE-2022-41261
https://notcve.org/view.php?id=CVE-2022-41261
12 Dec 2022 — SAP Solution Manager (Diagnostic Agent) - version 7.20, allows an authenticated attacker on Windows system to access a file containing sensitive data which can be used to access a configuration file which contains credentials to access other system files. Successful exploitation can make the attacker access files and systems for which he/she is not authorized. • https://launchpad.support.sap.com/#/notes/3265173 • CWE-284: Improper Access Control •
CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-31596
https://notcve.org/view.php?id=CVE-2022-31596
12 Dec 2022 — Under certain conditions, an attacker authenticated as a CMS administrator and with high privileges access to the Network in SAP BusinessObjects Business Intelligence Platform (Monitoring DB) - version 430, can access BOE Monitoring database to retrieve and modify (non-personal) system data which would otherwise be restricted. Also, a potential attack could be used to leave the CMS's scope and impact the database. A successful attack could have a low impact on confidentiality, a high impact on integrity, an... • https://launchpad.support.sap.com/#/notes/3213507 • CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 5.0EPSS: 0%CPEs: 5EXPL: 0CVE-2022-41215
https://notcve.org/view.php?id=CVE-2022-41215
08 Nov 2022 — SAP NetWeaver ABAP Server and ABAP Platform allows an unauthenticated attacker to redirect users to a malicious site due to insufficient URL validation. This could lead to the user being tricked to disclose personal information. SAP NetWeaver ABAP Server y ABAP Platform permiten que un atacante no autenticado redirija a los usuarios a un sitio malicioso debido a una validación de URL insuficiente. Esto podría llevar a que se engañe al usuario para que revele información personal. • https://launchpad.support.sap.com/#/notes/3251202 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 8.7EPSS: 0%CPEs: 6EXPL: 0CVE-2022-41214
https://notcve.org/view.php?id=CVE-2022-41214
08 Nov 2022 — Due to insufficient input validation, SAP NetWeaver Application Server ABAP and ABAP Platform allows an attacker with high level privileges to use a remote enabled function to delete a file which is otherwise restricted. On successful exploitation an attacker can completely compromise the integrity and availability of the application. Debido a una validación de entrada insuficiente, SAP NetWeaver Application Server ABAP y ABAP Platform permiten a un atacante con privilegios de alto nivel utilizar una funció... • https://launchpad.support.sap.com/#/notes/3256571 • CWE-20: Improper Input Validation •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-41260
https://notcve.org/view.php?id=CVE-2022-41260
08 Nov 2022 — SAP Financial Consolidation - version 1010, does not sufficiently encode user-controlled input which may allow an unauthenticated attacker to inject a web script via a GET request. On successful exploitation, an attacker can view or modify information causing a limited impact on confidentiality and integrity of the application. SAP Financial Consolidation, versión 1010, no codifica suficientemente la entrada controlada por el usuario, lo que puede permitir que un atacante no autenticado inyecte un script we... • https://launchpad.support.sap.com/#/notes/3260708 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.9EPSS: 0%CPEs: 2EXPL: 0CVE-2022-41203
https://notcve.org/view.php?id=CVE-2022-41203
08 Nov 2022 — In some workflow of SAP BusinessObjects BI Platform (Central Management Console and BI LaunchPad), an authenticated attacker with low privileges can intercept a serialized object in the parameters and substitute with another malicious serialized object, which leads to deserialization of untrusted data vulnerability. This could highly compromise the Confidentiality, Integrity, and Availability of the system. En algunos flujos de trabajo de la plataforma SAP BusinessObjects BI (Central Management Console y BI... • https://launchpad.support.sap.com/#/notes/3243924 • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 0CVE-2022-41207
https://notcve.org/view.php?id=CVE-2022-41207
08 Nov 2022 — SAP Biller Direct allows an unauthenticated attacker to craft a legitimate looking URL. When clicked by an unsuspecting victim, it will use an unsensitized parameter to redirect the victim to a malicious site of the attacker's choosing which can result in disclosure or modification of the victim's information. SAP Biller Direct permite que un atacante no autenticado cree una URL de apariencia legítima. Cuando una víctima desprevenida hace clic en él, utilizará un parámetro no sensible para redirigir a la ví... • https://launchpad.support.sap.com/#/notes/3238042 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-41258
https://notcve.org/view.php?id=CVE-2022-41258
08 Nov 2022 — Due to insufficient input validation, SAP Financial Consolidation - version 1010, allows an authenticated attacker to inject malicious script when running a common query in the Web Administration Console. On successful exploitation, an attacker can view or modify information causing a limited impact on confidentiality, integrity and availability of the application. Debido a una validación de entrada insuficiente, SAP Financial Consolidation, versión 1010, permite a un atacante autenticado inyectar scripts m... • https://launchpad.support.sap.com/#/notes/3260708 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •