CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-35290
https://notcve.org/view.php?id=CVE-2022-35290
09 Aug 2022 — Under certain conditions SAP Authenticator for Android allows an attacker to access information which would otherwise be restricted. En determinadas condiciones, SAP Authenticator para Android permite a un atacante acceder a información que de otro modo estaría restringida • https://launchpad.support.sap.com/#/notes/3216653 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-35291 – Privilege escalation vulnerability in SAP SuccessFactors attachment API for Mobile Application(Android & iOS)
https://notcve.org/view.php?id=CVE-2022-35291
27 Jul 2022 — Due to misconfigured application endpoints, SAP SuccessFactors attachment APIs allow attackers with user privileges to perform activities with admin privileges over the network. These APIs were consumed in the SF Mobile application for Time Off, Time Sheet, EC Workflow, and Benefits. On successful exploitation, the attacker can read/write attachments. Thus, compromising the confidentiality and integrity of the application Debido a los endpoints de la aplicación configurados inapropiadamente, las APIs de adj... • https://launchpad.support.sap.com/#/notes/3226411 • CWE-269: Improper Privilege Management •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-32249
https://notcve.org/view.php?id=CVE-2022-32249
12 Jul 2022 — Under special integration scenario of SAP Business one and SAP HANA - version 10.0, an attacker can exploit HANA cockpit�s data volume to gain access to highly sensitive information (e.g., high privileged account credentials) En un escenario especial de integración de SAP Business One y SAP HANA - versión 10.0, un atacante puede explotar el volumen de datos del cockpit de HANA para acceder a información altamente confidencial (por ejemplo, credenciales de cuentas con altos privilegios) • https://launchpad.support.sap.com/#/notes/3212997 • CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 6.1EPSS: 0%CPEs: 7EXPL: 0CVE-2022-35224
https://notcve.org/view.php?id=CVE-2022-35224
12 Jul 2022 — SAP Enterprise Portal - versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. This attack can be used to non-permanently deface or modify portal content. The execution of script content by a victim registered on the portal could compromise the confidentiality and integrity of victim�s web browser session. SAP Enterprise Portal - versiones 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, no codifica suficienteme... • https://launchpad.support.sap.com/#/notes/3210779 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-35228
https://notcve.org/view.php?id=CVE-2022-35228
12 Jul 2022 — SAP BusinessObjects CMC allows an unauthenticated attacker to retrieve token information over the network which would otherwise be restricted. This can be achieved only when a legitimate user accesses the application and a local compromise occurs, like sniffing or social engineering. On successful exploitation, the attacker can completely compromise the application. SAP BusinessObjects CMC permite a un atacante no autenticado recuperar información de tokens a través de la red que, de otro modo, estaría rest... • https://launchpad.support.sap.com/#/notes/3221288 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 7EXPL: 0CVE-2022-35225
https://notcve.org/view.php?id=CVE-2022-35225
12 Jul 2022 — SAP NetWeaver Enterprise Portal - versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs over the network, resulting in reflected Cross-Site Scripting (XSS) vulnerability, therefore changing the scope of the attack. This leads to limited impact on confidentiality and integrity of data. SAP NetWeaver Enterprise Portal - versiones 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, no codifica suficientemente las entradas controladas por el usuario a través de la red, res... • https://launchpad.support.sap.com/#/notes/3208880 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2022-35227
https://notcve.org/view.php?id=CVE-2022-35227
12 Jul 2022 — A vulnerability in SAP NW EP (WPC) - versions 7.30, 7.31, 7.40, 7.50, which does not sufficiently validate user-controlled input, allows a remote attacker to conduct a Cross-Site (XSS) scripting attack. A successful exploit could allow the attacker to execute arbitrary script code which could lead to stealing or modifying of authentication information of the user, such as data relating to his or her current session. Una vulnerabilidad en SAP NW EP (WPC) - versiones 7.30, 7.31, 7.40, 7.50, que no comprueba s... • https://launchpad.support.sap.com/#/notes/3211760 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 7EXPL: 0CVE-2022-35172
https://notcve.org/view.php?id=CVE-2022-35172
12 Jul 2022 — SAP NetWeaver Enterprise Portal - versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs, resulting in reflected Cross-Site Scripting (XSS) vulnerability. SAP NetWeaver Enterprise Portal - versiones 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, no codifica suficientemente las entradas controladas por el usuario, resultando en una vulnerabilidad de tipo Cross-Site Scripting (XSS) reflejado • https://launchpad.support.sap.com/#/notes/3207902 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-35171
https://notcve.org/view.php?id=CVE-2022-35171
12 Jul 2022 — When a user opens manipulated JPEG 2000 (.jp2, jp2k.x3d) files received from untrusted sources in SAP 3D Visual Enterprise Viewer, the application crashes and becomes temporarily unavailable to the user until restart of the application. The file format details along with their CVE relevant information can be found below Cuando un usuario abre archivos JPEG 2000 (.jp2, jp2k.x3d) manipulados recibidos de fuentes no fiables en SAP 3D Visual Enterprise Viewer, la aplicación es bloqueada y deja de estar disponib... • https://launchpad.support.sap.com/#/notes/3220746 • CWE-20: Improper Input Validation •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-35169
https://notcve.org/view.php?id=CVE-2022-35169
12 Jul 2022 — SAP BusinessObjects Business Intelligence Platform (LCM) - versions 420, 430, allows an attacker with an admin privilege to read and decrypt LCMBIAR file's password under certain conditions, enabling the attacker to modify the password or import the file into another system causing high impact on confidentiality but a limited impact on the availability and integrity of the application. SAP BusinessObjects Business Intelligence Platform (LCM) - versiones 420, 430, permite a un atacante con un privilegio de a... • https://launchpad.support.sap.com/#/notes/3194361 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •