CVSS: 5.7EPSS: 0%CPEs: 2EXPL: 0CVE-2022-32244
https://notcve.org/view.php?id=CVE-2022-32244
13 Sep 2022 — Under certain conditions an attacker authenticated as a CMS administrator access the BOE Commentary database and retrieve (non-personal) system data, modify system data but can't make the system unavailable. This needs the attacker to have high privilege access to the same physical/logical network to access information which would otherwise be restricted, leading to low impact on confidentiality and high impact on integrity of the application. Bajo determinadas condiciones, un atacante autenticado como admi... • https://launchpad.support.sap.com/#/notes/3213524 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-39014
https://notcve.org/view.php?id=CVE-2022-39014
13 Sep 2022 — Under certain conditions SAP BusinessObjects Business Intelligence Platform Central Management Console (CMC) - version 430, allows an attacker to access certain unencrypted sensitive parameters which would otherwise be restricted. Bajo determinadas condiciones, SAP BusinessObjects Business Intelligence Platform Central Management Console (CMC) - versión 430, permite a un atacante acceder a determinados parámetros confidenciales no encriptados que de otra manera estarían restringidos • https://launchpad.support.sap.com/#/notes/3217303 • CWE-311: Missing Encryption of Sensitive Data •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-39801
https://notcve.org/view.php?id=CVE-2022-39801
13 Sep 2022 — SAP GRC Access control Emergency Access Management allows an authenticated attacker to access a Firefighter session even after it is closed in Firefighter Logon Pad. This attack can be launched only within the firewall. On successful exploitation the attacker can gain access to admin session and completely compromise the application. SAP GRC Access control Emergency Access Management permite a un atacante autenticado acceder a una sesión de Firefighter incluso después de haberla cerrado en Firefighter Logon... • https://launchpad.support.sap.com/#/notes/3237075 • CWE-287: Improper Authentication •
CVSS: 6.4EPSS: 0%CPEs: 5EXPL: 0CVE-2022-39799
https://notcve.org/view.php?id=CVE-2022-39799
13 Sep 2022 — An attacker with no prior authentication could craft and send malicious script to SAP GUI for HTML within Fiori Launchpad, resulting in reflected cross-site scripting attack. This could lead to stealing session information and impersonating the affected user. Un atacante sin autenticación previa podría diseñar y enviar un script malicioso a la Interfaz Gráfica de Usuario de SAP para HTML dentro de Fiori Launchpad, resultando en un ataque de tipo cross-site scripting. Esto podría conllevar a un robo de infor... • https://launchpad.support.sap.com/#/notes/3229820 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-35298
https://notcve.org/view.php?id=CVE-2022-35298
13 Sep 2022 — SAP NetWeaver Enterprise Portal (KMC) - version 7.50, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting vulnerability. KMC servlet is vulnerable to XSS attack. The execution of script content by a victim registered on the portal could compromise the confidentiality and integrity of victim’s web browser session. SAP NetWeaver Enterprise Portal (KMC) - versión 7.50, no codifica suficientemente las entradas controladas por el usuario, resultando en una vulnerabilidad de tip... • https://launchpad.support.sap.com/#/notes/3219164 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 11EXPL: 0CVE-2022-35294
https://notcve.org/view.php?id=CVE-2022-35294
13 Sep 2022 — An attacker with basic business user privileges could craft and upload a malicious file to SAP NetWeaver Application Server ABAP, which is then downloaded and viewed by other users resulting in a stored Cross-Site-Scripting attack. This could lead to information disclosure including stealing authentication information and impersonating the affected user. Un atacante con privilegios básicos de usuario de negocio podría diseñar y cargar un archivo malicioso en SAP NetWeaver Application Server ABAP, que luego ... • https://launchpad.support.sap.com/#/notes/3218177 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-35292
https://notcve.org/view.php?id=CVE-2022-35292
13 Sep 2022 — In SAP Business One application when a service is created, the executable path contains spaces and isn’t enclosed within quotes, leading to a vulnerability known as Unquoted Service Path which allows a user to gain SYSTEM privileges. If the service is exploited by adversaries, it can be used to gain privileged permissions on a system or network leading to high impact on Confidentiality, Integrity, and Availability. En la aplicación SAP Business One, cuando es creado un servicio, la ruta ejecutable contiene ... • https://launchpad.support.sap.com/#/notes/3223392 • CWE-428: Unquoted Search Path or Element •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 3CVE-2022-35295 – SAP@ Host Agent Privilege Escalation
https://notcve.org/view.php?id=CVE-2022-35295
13 Sep 2022 — In SAP Host Agent (SAPOSCOL) - version 7.22, an attacker may use files created by saposcol to escalate privileges for themselves. En SAP Host Agent (SAPOSCOL) - versión 7.22, un atacante puede utilizar los archivos creados por saposcol para escalar privilegios para sí mismo SAP@ Host Agent suffers from a privilege escalation vulnerability. • https://packetstorm.news/files/id/170233 • CWE-755: Improper Handling of Exceptional Conditions •
CVSS: 8.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-32245
https://notcve.org/view.php?id=CVE-2022-32245
09 Aug 2022 — SAP BusinessObjects Business Intelligence Platform (Open Document) - versions 420, 430, allows an unauthenticated attacker to retrieve sensitive information plain text over the network. On successful exploitation, the attacker can view any data available for a business user and put load on the application by an automated attack. Thus, completely compromising confidentiality but causing a limited impact on the availability of the application. SAP BusinessObjects Business Intelligence Platform (Open Document)... • https://launchpad.support.sap.com/#/notes/3210823 • CWE-319: Cleartext Transmission of Sensitive Information •
CVSS: 9.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-35293
https://notcve.org/view.php?id=CVE-2022-35293
09 Aug 2022 — Due to insecure session management, SAP Enable Now allows an unauthenticated attacker to gain access to user's account. On successful exploitation, an attacker can view or modify user data causing limited impact on confidentiality and integrity of the application. Debido a una administración insegura de la sesión, SAP Enable Now permite a un atacante no autenticado obtener acceso a la cuenta del usuario. Si es explotado con éxito, un atacante puede visualizar o modificar los datos del usuario causando un im... • https://launchpad.support.sap.com/#/notes/3210566 • CWE-862: Missing Authorization •