CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-33704
https://notcve.org/view.php?id=CVE-2021-33704
15 Sep 2021 — The Service Layer of SAP Business One, version - 10.0, allows an authenticated attacker to invoke certain functions that would otherwise be restricted to specific users. For an attacker to discover the vulnerable function, no in-depth system knowledge is required. Once exploited via Network stack, the attacker may be able to read, modify or delete restricted data. The impact is that missing authorization can result of abuse of functionality usually restricted to specific users. La Capa de Servicio de SAP Bu... • https://launchpad.support.sap.com/#/notes/3078072 • CWE-862: Missing Authorization •
CVSS: 9.1EPSS: 4%CPEs: 14EXPL: 6CVE-2021-33701 – SAP Netweaver IUUC_RECON_RC_COUNT_TABLE_BIG ABAP Code Injection
https://notcve.org/view.php?id=CVE-2021-33701
15 Sep 2021 — DMIS Mobile Plug-In or SAP S/4HANA, versions - DMIS 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 710, 2011_1_731, 710, 2011_1_752, 2020, SAPSCORE 125, S4CORE 102, 102, 103, 104, 105, allows an attacker with access to highly privileged account to execute manipulated query in NDZT tool to gain access to Superuser account, leading to SQL Injection vulnerability, that highly impacts systems Confidentiality, Integrity and Availability. DMIS Mobile Plug-In o SAP S/4HANA, versiones - DMIS 2011_1_620... • https://packetstorm.news/files/id/165304 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2021-33698
https://notcve.org/view.php?id=CVE-2021-33698
15 Sep 2021 — SAP Business One, version - 10.0, allows an attacker with business authorization to upload any files (including script files) without the proper file format validation. SAP Business One, versión - 10.0, permite a un atacante con autorización de negocio cargar cualquier archivo (incluyendo archivos de script) sin la comprobación de formato de archivo apropiada • https://launchpad.support.sap.com/#/notes/3071984 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.1EPSS: 0%CPEs: 7EXPL: 0CVE-2021-33705 – SAP Enterprise Portal iviewCatcherEditor Server-Side Request Forgery
https://notcve.org/view.php?id=CVE-2021-33705
15 Sep 2021 — The SAP NetWeaver Portal, versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, component Iviews Editor contains a Server-Side Request Forgery (SSRF) vulnerability which allows an unauthenticated attacker to craft a malicious URL which when clicked by a user can make any type of request (e.g. POST, GET) to any internal or external server. This can result in the accessing or modification of data accessible from the Portal but will not affect its availability. El componente Iviews Editor del SAP NetWeaver Port... • http://packetstormsecurity.com/files/165743/SAP-Enterprise-Portal-iviewCatcherEditor-Server-Side-Request-Forgery.html • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-33700
https://notcve.org/view.php?id=CVE-2021-33700
15 Sep 2021 — SAP Business One, version - 10.0, allows a local attacker with access to the victim's browser under certain circumstances, to login as the victim without knowing his/her password. The attacker could so obtain highly sensitive information which the attacker could use to take substantial control of the vulnerable application. SAP Business One, versión - 10.0, permite a un atacante local con acceso al navegador de la víctima bajo determinadas circunstancias, iniciar sesión como la víctima sin conocer su contra... • https://launchpad.support.sap.com/#/notes/3073325 • CWE-287: Improper Authentication CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2021-33694
https://notcve.org/view.php?id=CVE-2021-33694
15 Sep 2021 — SAP Cloud Connector, version - 2.0, does not sufficiently encode user-controlled inputs, allowing an attacker with Administrator rights, to include malicious codes that get stored in the database, and when accessed, could be executed in the application, resulting in Stored Cross-Site Scripting. SAP Cloud Connector, versión - 2.0, no codifica suficientemente las entradas controladas por el usuario, permitiendo a un atacante con derechos de administrador, incluir códigos maliciosos que se almacenan en la base... • https://launchpad.support.sap.com/#/notes/3058553 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.9EPSS: 0%CPEs: 3EXPL: 0CVE-2021-33691
https://notcve.org/view.php?id=CVE-2021-33691
15 Sep 2021 — NWDI Notification Service versions - 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.SAP NetWeaver Development Infrastructure Notification Service allows a threat actor to send crafted scripts to a victim. If the victim has an active session when the crafted script gets executed, the threat actor could compromise information in victims session, and gain access to some sensitive information also. NWDI Notification Service versiones ... • https://launchpad.support.sap.com/#/notes/3073450 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0CVE-2021-33693
https://notcve.org/view.php?id=CVE-2021-33693
15 Sep 2021 — SAP Cloud Connector, version - 2.0, allows an authenticated administrator to modify a configuration file to inject malicious codes that could potentially lead to OS command execution. SAP Cloud Connector, versión - 2.0, permite a un administrador autenticado modifique un archivo de configuración para inyectar códigos maliciosos que podrían conllevar la ejecución de comandos del sistema operativo • https://launchpad.support.sap.com/#/notes/3058553 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2021-33697
https://notcve.org/view.php?id=CVE-2021-33697
15 Sep 2021 — Under certain conditions, SAP BusinessObjects Business Intelligence Platform (SAPUI5), versions - 420, 430, can allow an unauthenticated attacker to redirect users to a malicious site due to Reverse Tabnabbing vulnerabilities. Bajo determinadas condiciones, SAP BusinessObjects Business Intelligence Platform (SAPUI5), versiones - 420, 430, puede permitir que un atacante no autenticado redirija a usuarios a un sitio malicioso debido a las vulnerabilidades de tipo Reverse Tabnabbing • https://launchpad.support.sap.com/#/notes/3063048 • CWE-269: Improper Privilege Management CWE-1022: Use of Web Link to Untrusted Target with window.opener Access •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-33695
https://notcve.org/view.php?id=CVE-2021-33695
15 Sep 2021 — Potentially, SAP Cloud Connector, version - 2.0 communication with the backend is accepted without sufficient validation of the certificate. Potencialmente, SAP Cloud Connector, versión - 2.0, una comunicación con el backend es aceptada sin que se compruebe suficientemente el certificado • https://launchpad.support.sap.com/#/notes/3058553 • CWE-295: Improper Certificate Validation CWE-297: Improper Validation of Certificate with Host Mismatch •