CVSS: 3.5EPSS: 0%CPEs: 1EXPL: 0CVE-2015-7726
https://notcve.org/view.php?id=CVE-2015-7726
Cross-site scripting (XSS) vulnerability in role deletion in the Web-based Development Workbench in SAP HANA DB 1.00.091.00.1418659308 allows remote authenticated users to inject arbitrary web script or HTML via the role name, aka SAP Security Note 2153898. Vulnerabilidad de XSS en la eliminación de rol en el Web-based Development Workbench en SAP HANA DB 1.00.091.00.1418659308 permite a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través del nombre de rol, también conocida como SAP Security Note 2153898. • http://seclists.org/fulldisclosure/2015/Sep/114 https://www.onapsis.com/blog/analyzing-sap-security-notes-may-2015-edition https://www.onapsis.com/research/security-advisories/sap-hana-xss-role-deletion-through-web-based-workbench • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2015-7725
https://notcve.org/view.php?id=CVE-2015-7725
Multiple SQL injection vulnerabilities in the Web-based Development Workbench in SAP HANA DB 1.00.091.00.1418659308 allow remote authenticated users to execute arbitrary SQL commands via the (1) remoteSourceName in the dropCredentials function or unspecified vectors in the (2) setTraceLevelsForXsApps, (3) _modifyUser, or (4) _newUser function, aka SAP Security Notes 2153898 and 2153765. Múltiples vulnerabilidades de inyección SQL en el Web-based Development Workbench en SAP HANA DB 1.00.091.00.1418659308 permite a usuarios remotos autenticados ejecutar comandos SQL arbitrarios a través de (1) remoteSourceName en la función dropCredentials o vectores no especificados en la función (2) setTraceLevelsForXsApps, (3) _modifyUser o (4) _newUser, también conocidas como SAP Security Notes 2153898 y 2153765. • http://packetstormsecurity.com/files/133761/SAP-HANA-_modifyUser-SQL-Injection.html http://packetstormsecurity.com/files/133762/SAP-HANA-_newUser-SQL-Injection.html http://packetstormsecurity.com/files/133764/SAP-HANA-setTraceLevelsForXsApps-SQL-Injection.html http://packetstormsecurity.com/files/133769/SAP-HANA-Drop-Credentials-SQL-Injection.html http://seclists.org/fulldisclosure/2015/Sep/110 http://seclists.org/fulldisclosure/2015/Sep/111 http://seclists.org/fulldisclosure/2015/Sep/113 http://seclists.org&#x • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2015-6507
https://notcve.org/view.php?id=CVE-2015-6507
The hdbsql client 1.00.091.00 Build 1418659308-1530 in SAP HANA allows local users to cause a denial of service (memory corruption) and possibly have unspecified other impact via unknown vectors, aka SAP Security Note 2140700. El cliente hdbsql 1.00.091.00 Build 1418659308-1530 en SAP HANA permite a usuarios locales causar una denegación de servicio (corrupción de memoria) y posiblemente tener otro impácto no especificado a través de vectores desconocidos, también conocido como SAP Security Note 2140700. • http://packetstormsecurity.com/files/133760/SAP-HANA-hdbsql-Memory-Corruption.html http://seclists.org/fulldisclosure/2015/Sep/109 https://www.onapsis.com/blog/analyzing-sap-security-notes-april-2015-edition https://www.onapsis.com/research/security-advisories/sap-hana-multiple-memory-corruption-vulnerabilities • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 4.0EPSS: 0%CPEs: 1EXPL: 0CVE-2015-3994
https://notcve.org/view.php?id=CVE-2015-3994
The grant.xsfunc application in testApps/grantAccess/ in the XS Engine in SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allows remote authenticated users to spoof log entries via a crafted request, aka SAP Security Note 2109818. La aplicación grant.xsfunc en testApps/grantAccess/ en el motor XS en SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) permite a usuarios remotos autenticados falsificar entradas del registro a través de una solicitud manipulada, también conocido como la nota de seguridad de SAP 2109818. • http://packetstormsecurity.com/files/132067/SAP-HANA-Log-Injection.html http://seclists.org/fulldisclosure/2015/May/118 http://www.onapsis.com/research/security-advisories/SAP-HANA-Log-Injection-Vulnerability-in-Extended-Application-Services http://www.securityfocus.com/archive/1/535618/100/0/threaded http://www.securityfocus.com/bid/74859 • CWE-20: Improper Input Validation •
CVSS: 4.0EPSS: 0%CPEs: 1EXPL: 0CVE-2015-3995
https://notcve.org/view.php?id=CVE-2015-3995
SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allows remote authenticated users to read arbitrary files via an IMPORT FROM SQL statement, aka SAP Security Note 2109565. SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) permite a usuarios remotos autenticados leer ficheros arbitrarios a través de una declaración IMPORT FROM SQL, también conocido como la nota de seguridad de SAP 2109565. • http://packetstormsecurity.com/files/132066/SAP-HANA-Information-Disclosure.html http://seclists.org/fulldisclosure/2015/May/119 http://www.onapsis.com/research/security-advisories/SAP-HANA-Information-Disclosure-via-SQL-IMPORT-FROM-statement http://www.securityfocus.com/archive/1/535619/100/0/threaded http://www.securityfocus.com/bid/74861 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •