CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47585 – Missing Authorization check in SAP NetWeaver Application Server for ABAP and ABAP Platform
https://notcve.org/view.php?id=CVE-2024-47585
10 Dec 2024 — SAP NetWeaver Application Server for ABAP and ABAP Platform allows an authenticated attacker to gain higher access levels than they should have by exploiting improper authorization checks, resulting in privilege escalation. While authorizations for import and export are distinguished, a single authorization is applied for both, which may contribute to these risks. On successful exploitation, this can result in potential security concerns. However, it has no impact on the integrity and availability of the ap... • https://me.sap.com/notes/3536361 • CWE-862: Missing Authorization •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47580 – Multiple vulnerabilities in SAP NetWeaver AS for JAVA(Adobe Document Services)
https://notcve.org/view.php?id=CVE-2024-47580
10 Dec 2024 — An attacker authenticated as an administrator can use an exposed webservice to create a PDF with an embedded attachment. By specifying the file to be an internal server file and subsequently downloading the generated PDF, the attacker can read any file on the server with no effect on integrity or availability. • https://me.sap.com/notes/3536965 • CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47579 – Multiple vulnerabilities in SAP NetWeaver AS for JAVA(Adobe Document Services)
https://notcve.org/view.php?id=CVE-2024-47579
10 Dec 2024 — An attacker authenticated as an administrator can use an exposed webservice to upload or download a custom PDF font file on the system server. Using the upload functionality to copy an internal file into a font file and subsequently using the download functionality to retrieve that file allows the attacker to read any file on the server with no effect on integrity or availability • https://me.sap.com/notes/3536965 • CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47578 – Multiple vulnerabilities in SAP NetWeaver AS for JAVA(Adobe Document Services)
https://notcve.org/view.php?id=CVE-2024-47578
10 Dec 2024 — Adobe Document Service allows an attacker with administrator privileges to send a crafted request from a vulnerable web application. It is usually used to target internal systems behind firewalls that are normally inaccessible to an attacker from the external network, resulting in a Server-Side Request Forgery vulnerability. On successful exploitation, the attacker can read or modify any file and/or make the entire system unavailable. • https://me.sap.com/notes/3536965 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-32732 – Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence platform
https://notcve.org/view.php?id=CVE-2024-32732
10 Dec 2024 — Under certain conditions SAP BusinessObjects Business Intelligence platform allows an attacker to access information which would otherwise be restricted.This has low impact on Confidentiality with no impact on Integrity and Availability of the application. • https://me.sap.com/notes/3524933 • CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere •
CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47595 – Local Privilege Escalation in SAP Host Agent
https://notcve.org/view.php?id=CVE-2024-47595
12 Nov 2024 — An attacker who gains local membership to sapsys group could replace local files usually protected by privileged access. On successful exploitation the attacker could cause high impact on confidentiality and integrity of the application. • https://me.sap.com/notes/3509619 • CWE-266: Incorrect Privilege Assignment •
CVSS: 6.4EPSS: 0%CPEs: 6EXPL: 0CVE-2024-47593 – Information Disclosure Vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform
https://notcve.org/view.php?id=CVE-2024-47593
12 Nov 2024 — SAP NetWeaver Application Server ABAP allows an unauthenticated attacker with network access to read files from the server, which otherwise would be restricted.This attack is possible only if a Web Dispatcher or some sort of Proxy Server is in use and the file in question was previously opened or downloaded in an application based on SAP GUI for HTML Technology. This will not compromise the application's integrity or availability. • https://me.sap.com/notes/3508947 • CWE-276: Incorrect Default Permissions •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47592 – Information Disclosure Vulnerability in SAP NetWeaver Application Server Java (Logon Application)
https://notcve.org/view.php?id=CVE-2024-47592
12 Nov 2024 — SAP NetWeaver AS Java allows an unauthenticated attacker to brute force the login functionality in order to identify the legitimate user IDs. This has an impact on confidentiality but not on integrity or availability. • https://me.sap.com/notes/3393899 • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 9.0EPSS: 0%CPEs: 6EXPL: 0CVE-2024-47590 – Cross-Site Scripting (XSS) vulnerability in SAP Web Dispatcher
https://notcve.org/view.php?id=CVE-2024-47590
12 Nov 2024 — An unauthenticated attacker can create a malicious link which they can make publicly available. When an authenticated victim clicks on this malicious link, input data will be used by the web site page generation to create content which when executed in the victim's browser (XXS) or transmitted to another server (SSRF) gives the attacker the ability to execute arbitrary code on the server fully compromising confidentiality, integrity and availability. • https://me.sap.com/notes/3520281 • CWE-791: Incomplete Filtering of Special Elements •
CVSS: 4.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47588 – Information Disclosure vulnerability in SAP NetWeaver Java (Software Update Manager)
https://notcve.org/view.php?id=CVE-2024-47588
12 Nov 2024 — In SAP NetWeaver Java (Software Update Manager 1.1), under certain conditions when a software upgrade encounters errors, credentials are written in plaintext to a log file. An attacker with local access to the server, authenticated as a non-administrative user, can acquire the credentials from the logs. This leads to a high impact on confidentiality, with no impact on integrity or availability. • https://me.sap.com/notes/3522953 • CWE-522: Insufficiently Protected Credentials •