CVE-2020-6198
https://notcve.org/view.php?id=CVE-2020-6198
SAP Solution Manager (Diagnostics Agent), version 720, allows unencrypted connections from unauthenticated sources. This allows an attacker to control all remote functions on the Agent due to Missing Authentication Check. SAP Solution Manager (Diagnostics Agent), versión 720, permite conexiones no cifradas de fuentes no autenticadas. Esto permite a un atacante controlar todas las funciones remotas en el Agente debido a una Falta de Comprobación de Autenticación. • https://launchpad.support.sap.com/#/notes/2845377 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=540935305 • CWE-306: Missing Authentication for Critical Function CWE-319: Cleartext Transmission of Sensitive Information •
CVE-2018-2405
https://notcve.org/view.php?id=CVE-2018-2405
SAP Solution Manager, 7.10, 7.20, Incident Management Work Center allows an attacker to upload a malicious script as an attachment and this could lead to possible Cross-Site Scripting. En SAP Solution Manager, en versiones 7.10 y 7.20, Incident Management Work Center permite que un atacante suba un script malicioso como adjunto, lo que podría conducir a un posible Cross-Site Scripting (XSS). • http://www.securityfocus.com/bid/103703 https://blogs.sap.com/2018/04/10/sap-security-patch-day-april-2018 https://launchpad.support.sap.com/#/notes/2372688 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-2361
https://notcve.org/view.php?id=CVE-2018-2361
In SAP Solution Manager 7.20, the role SAP_BPO_CONFIG gives the Business Process Operations (BPO) configuration user more authorization than required for configuring the BPO tools. En SAP Solution Manager 7.20, el rol SAP_BPO_CONFIG otorga al usuario de configuración Business Process Operations (BPO) más autorización de la requerida para configurar las herramientas BPO. • http://www.securityfocus.com/bid/102450 https://blogs.sap.com/2018/01/09/sap-security-patch-day-january-2018 https://launchpad.support.sap.com/#/notes/2507934 • CWE-863: Incorrect Authorization •
CVE-2016-10005 – SAP Solman 7.31 Information Disclosure
https://notcve.org/view.php?id=CVE-2016-10005
Webdynpro in SAP Solman 7.1 through 7.31 allows remote attackers to obtain sensitive information via webdynpro/dispatcher/sap.com/caf~eu~gp~example~timeoff~wd requests, aka SAP Security Note 2344524. Webdynpro en SAP Solman 7.1 hasta la versión 7.31 permite a atacantes remotos obtener información sensible a través de la petición webdynpro/dispatcher/sap.com/caf~eu~gp~example~timeoff~wd, vulnerabilidad también conocida como SAP Security Note 2344524. SAP Solman versions 7.1 through 7.31 suffer from an information disclosure vulnerability. • http://packetstormsecurity.com/files/140232/SAP-Solman-7.31-Information-Disclosure.html http://seclists.org/fulldisclosure/2016/Dec/69 http://www.securityfocus.com/bid/92949 https://erpscan.io/advisories/erpscan-16-035-sap-solman-user-accounts-dislosure • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •