CVSS: 5.8EPSS: 0%CPEs: 8EXPL: 0CVE-2023-39436 – Information Disclosure in SAP Supplier Relationship Management
https://notcve.org/view.php?id=CVE-2023-39436
SAP Supplier Relationship Management -versions 600, 602, 603, 604, 605, 606, 616, 617, allows an unauthorized attacker to discover information relating to SRM within Vendor Master Data for Business Partners replication functionality.This information could be used to allow the attacker to specialize their attacks against SRM. • https://me.sap.com/notes/2067220 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-306: Missing Authentication for Critical Function •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-37484 – Information Disclosure Vulnerabilities in SAP PowerDesigner
https://notcve.org/view.php?id=CVE-2023-37484
SAP PowerDesigner - version 16.7, queries all password hashes in the backend database and compares it with the user provided one during login attempt, which might allow an attacker to access password hashes from the client's memory. • https://me.sap.com/notes/3341460 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-36926 – Information disclosure vulnerability in SAP Host Agent
https://notcve.org/view.php?id=CVE-2023-36926
Due to missing authentication check in SAP Host Agent - version 7.22, an unauthenticated attacker can set an undocumented parameter to a particular compatibility value and in turn call read functions. This allows the attacker to gather some non-sensitive information about the server. There is no impact on integrity or availability. Debido a la falta de comprobación de autenticación en SAP Host Agent - versión 7.22, un atacante no autenticado puede establecer un parámetro no documentado a un valor de compatibilidad particular y a su vez llamar a funciones de lectura. Esto permite al atacante recopilar información no sensible sobre el servidor. • https://me.sap.com/notes/3358328 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-287: Improper Authentication CWE-306: Missing Authentication for Critical Function •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-4242 – FULL - Customer <= 2.2.3 - Authenticated(Subscriber+) Information Disclosure via Health Check
https://notcve.org/view.php?id=CVE-2023-4242
The FULL - Customer plugin for WordPress is vulnerable to Information Disclosure via the /health REST route in versions up to, and including, 2.2.3 due to improper authorization. • https://plugins.trac.wordpress.org/browser/full-customer/tags/1.1.0/app/api/Health.php https://www.wordfence.com/threat-intel/vulnerabilities/id/a77d0fb5-8829-407d-a40a-169cf0c5f837?source=cve • CWE-287: Improper Authentication CWE-863: Incorrect Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-39472 – Inductive Automation Ignition SimpleXMLReader XML External Entity Processing Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2023-39472
Inductive Automation Ignition SimpleXMLReader XML External Entity Processing Information Disclosure Vulnerability. • https://www.zerodayinitiative.com/advisories/ZDI-23-1048 • CWE-611: Improper Restriction of XML External Entity Reference •