CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-23857 – Improper Access Control in SAP NetWeaver AS for Java
https://notcve.org/view.php?id=CVE-2023-23857
14 Mar 2023 — Due to missing authentication check, SAP NetWeaver AS for Java - version 7.50, allows an unauthenticated attacker to attach to an open interface and make use of an open naming and directory API to access services which can be used to perform unauthorized operations affecting users and services across systems. On a successful exploitation, the attacker can read and modify some sensitive information but can also be used to lock up any element or operation of the system making that it unresponsive or unavailab... • https://launchpad.support.sap.com/#/notes/3252433 • CWE-287: Improper Authentication •
CVSS: 6.4EPSS: 0%CPEs: 14EXPL: 0CVE-2023-24529
https://notcve.org/view.php?id=CVE-2023-24529
14 Feb 2023 — Due to lack of proper input validation, BSP application (CRM_BSP_FRAME) - versions 700, 701, 702, 731, 740, 750, 751, 752, 75C, 75D, 75E, 75F, 75G, 75H, allow malicious inputs from untrusted sources, which can be leveraged by an attacker to execute a Reflected Cross-Site Scripting (XSS) attack. As a result, an attacker may be able to hijack a user session, read and modify some sensitive information. • https://launchpad.support.sap.com/#/notes/3282663 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-0017 – Improper access control in SAP NetWeaver AS for Java
https://notcve.org/view.php?id=CVE-2023-0017
10 Jan 2023 — An unauthenticated attacker in SAP NetWeaver AS for Java - version 7.50, due to improper access control, can attach to an open interface and make use of an open naming and directory API to access services which can be used to perform unauthorized operations affecting users and data on the current system. This could allow the attacker to have full read access to user data, make modifications to user data, and make services within the system unavailable. • https://launchpad.support.sap.com/#/notes/3268093 • CWE-284: Improper Access Control •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 1CVE-2022-41272
https://notcve.org/view.php?id=CVE-2022-41272
13 Dec 2022 — An unauthenticated attacker over the network can attach to an open interface exposed through JNDI by the User Defined Search (UDS) of SAP NetWeaver Process Integration (PI) - version 7.50 and make use of an open naming and directory API to access services which can be used to perform unauthorized operations affecting users and data across the entire system. This allows the attacker to have full read access to user data, make limited modifications to user data, and degrade the performance of the system, lead... • https://github.com/redrays-io/CVE-2022-41272 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE-306: Missing Authentication for Critical Function CWE-862: Missing Authorization •
CVSS: 9.7EPSS: 0%CPEs: 1EXPL: 0CVE-2022-41271
https://notcve.org/view.php?id=CVE-2022-41271
13 Dec 2022 — An unauthenticated user can attach to an open interface exposed through JNDI by the Messaging System of SAP NetWeaver Process Integration (PI) - version 7.50. This user can make use of an open naming and directory API to access services that could perform unauthorized operations. The vulnerability affects local users and data, leading to a considerable impact on confidentiality as well as availability and a limited impact on the integrity of the application. These operations can be used to: * Read any infor... • https://launchpad.support.sap.com/#/notes/3267780 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE-306: Missing Authentication for Critical Function CWE-862: Missing Authorization •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-41262
https://notcve.org/view.php?id=CVE-2022-41262
12 Dec 2022 — Due to insufficient input validation, SAP NetWeaver AS Java (HTTP Provider Service) - version 7.50, allows an unauthenticated attacker to inject a script into a web request header. On successful exploitation, an attacker can view or modify information causing a limited impact on the confidentiality and integrity of the application. Debido a una validación de entrada insuficiente, SAP NetWeaver AS Java (HTTP Provider Service), versión 7.50, permite a un atacante no autenticado inyectar un script en un encabe... • https://launchpad.support.sap.com/#/notes/3262544 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-35298
https://notcve.org/view.php?id=CVE-2022-35298
13 Sep 2022 — SAP NetWeaver Enterprise Portal (KMC) - version 7.50, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting vulnerability. KMC servlet is vulnerable to XSS attack. The execution of script content by a victim registered on the portal could compromise the confidentiality and integrity of victim’s web browser session. SAP NetWeaver Enterprise Portal (KMC) - versión 7.50, no codifica suficientemente las entradas controladas por el usuario, resultando en una vulnerabilidad de tip... • https://launchpad.support.sap.com/#/notes/3219164 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 7EXPL: 0CVE-2022-35225
https://notcve.org/view.php?id=CVE-2022-35225
12 Jul 2022 — SAP NetWeaver Enterprise Portal - versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs over the network, resulting in reflected Cross-Site Scripting (XSS) vulnerability, therefore changing the scope of the attack. This leads to limited impact on confidentiality and integrity of data. SAP NetWeaver Enterprise Portal - versiones 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, no codifica suficientemente las entradas controladas por el usuario a través de la red, res... • https://launchpad.support.sap.com/#/notes/3208880 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2022-35227
https://notcve.org/view.php?id=CVE-2022-35227
12 Jul 2022 — A vulnerability in SAP NW EP (WPC) - versions 7.30, 7.31, 7.40, 7.50, which does not sufficiently validate user-controlled input, allows a remote attacker to conduct a Cross-Site (XSS) scripting attack. A successful exploit could allow the attacker to execute arbitrary script code which could lead to stealing or modifying of authentication information of the user, such as data relating to his or her current session. Una vulnerabilidad en SAP NW EP (WPC) - versiones 7.30, 7.31, 7.40, 7.50, que no comprueba s... • https://launchpad.support.sap.com/#/notes/3211760 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 7EXPL: 0CVE-2022-35172
https://notcve.org/view.php?id=CVE-2022-35172
12 Jul 2022 — SAP NetWeaver Enterprise Portal - versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs, resulting in reflected Cross-Site Scripting (XSS) vulnerability. SAP NetWeaver Enterprise Portal - versiones 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, no codifica suficientemente las entradas controladas por el usuario, resultando en una vulnerabilidad de tipo Cross-Site Scripting (XSS) reflejado • https://launchpad.support.sap.com/#/notes/3207902 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •