CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 3CVE-2022-26101 – SAP Fiori Launchpad Cross Site Scripting
https://notcve.org/view.php?id=CVE-2022-26101
08 Mar 2022 — Fiori launchpad - versions 754, 755, 756, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. Fiori launchpad - versiones 754, 755, 756, no codifica suficientemente las entradas controladas por el usuario, resultando en una vulnerabilidad de tipo cross-Site Scripting (XSS) The SAP Fiori launchpad suffers from a cross site scripting vulnerability. Various component versions are affected. • https://packetstorm.news/files/id/167561 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 2CVE-2022-22547 – SAP FRUN Simple Diagnostics Agent 1.0 Information Disclosure
https://notcve.org/view.php?id=CVE-2022-22547
08 Mar 2022 — Simple Diagnostics Agent - versions 1.0 (up to version 1.57.), allows an attacker to access information which would otherwise be restricted via a random port 9000-65535. This allows information gathering which could be used exploit future open-source security exploits. Simple Diagnostics Agent - versiones 1.0 (hasta la versión 1.57.), permite a un atacante acceder a información que de otro modo estaría restringida por medio de un puerto aleatorio 9000-65535. Esto permite una recopilación de información que ... • http://packetstormsecurity.com/files/167562/SAP-FRUN-Simple-Diagnostics-Agent-1.0-Information-Disclosure.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 3CVE-2022-24399 – SAP FRUN 2.00 / 3.00 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2022-24399
08 Mar 2022 — The SAP Focused Run (Real User Monitoring) - versions 200, 300, REST service does not sufficiently sanitize the input name of the file using multipart/form-data, resulting in Cross-Site Scripting (XSS) vulnerability. El servicio REST de SAP Focused Run (Real User Monitoring) - versiones 200, 300, no sanea suficientemente el nombre de entrada del archivo usando multipart/form-data, resultando en una vulnerabilidad de tipo cross-Site Scripting (XSS) SAP Focused Run versions 2.00 and 3.00 suffer from a cross s... • https://packetstorm.news/files/id/167559 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 7EXPL: 0CVE-2022-24395
https://notcve.org/view.php?id=CVE-2022-24395
08 Mar 2022 — SAP NetWeaver Enterprise Portal - versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs, resulting in reflected Cross-Site Scripting (XSS) vulnerability. SAP NetWeaver Enterprise Portal - versiones 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, no codifica suficientemente las entradas controladas por el usuario, resultando en una vulnerabilidad de tipo cross-Site Scripting (XSS) reflejado • https://dam.sap.com/mac/embed/public/pdf/a/ucQrx6G.htm?rc=10 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-26100
https://notcve.org/view.php?id=CVE-2022-26100
08 Mar 2022 — SAPCAR - version 7.22, does not contain sufficient input validation on the SAPCAR archive. As a result, the SAPCAR process may crash, and the attacker may obtain privileged access to the system. SAPCAR - versión 7.22, no contiene suficiente comprobación de entradas en el archivo SAPCAR. Como resultado, el proceso SAPCAR puede fallar, y el atacante puede obtener acceso privilegiado al sistema • https://dam.sap.com/mac/embed/public/pdf/a/ucQrx6G.htm?rc=10 • CWE-20: Improper Input Validation CWE-129: Improper Validation of Array Index •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-26102
https://notcve.org/view.php?id=CVE-2022-26102
08 Mar 2022 — Due to missing authorization check, SAP NetWeaver Application Server for ABAP - versions 700, 701, 702, 731, allows an authenticated attacker, to access content on the start screen of any transaction that is available with in the same SAP system even if he/she isn't authorized for that transaction. A successful exploitation could expose information and in worst case manipulate data before the start screen is executed, resulting in limited impact on confidentiality and integrity of the application. Debido a ... • https://dam.sap.com/mac/embed/public/pdf/a/ucQrx6G.htm?rc=10 • CWE-862: Missing Authorization •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 3CVE-2022-24396 – SAP FRUN Simple Diagnostics Agent 1.0 Missing Authentication
https://notcve.org/view.php?id=CVE-2022-24396
08 Mar 2022 — The Simple Diagnostics Agent - versions 1.0 up to version 1.57, does not perform any authentication checks for functionalities that can be accessed via localhost on http port 3005. Due to lack of authentication checks, an attacker could access administrative or other privileged functionalities and read, modify, or delete sensitive information and configurations. The Simple Diagnostics Agent - versiones 1.0 hasta 1.57, no lleva a cabo ninguna comprobación de autenticación para las funcionalidades a las que p... • https://packetstorm.news/files/id/167560 • CWE-306: Missing Authentication for Critical Function •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-24398
https://notcve.org/view.php?id=CVE-2022-24398
08 Mar 2022 — Under certain conditions SAP Business Objects Business Intelligence Platform - versions 420, 430, allows an authenticated attacker to access information which would otherwise be restricted. En determinadas condiciones, SAP Business Objects Business Intelligence Platform - versiones 420, 430, permite que un atacante autenticado acceda a información que de otro modo estaría restringida • https://dam.sap.com/mac/embed/public/pdf/a/ucQrx6G.htm?rc=10 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-22544
https://notcve.org/view.php?id=CVE-2022-22544
09 Feb 2022 — Solution Manager (Diagnostics Root Cause Analysis Tools) - version 720, allows an administrator to execute code on all connected Diagnostics Agents and browse files on their systems. An attacker could thereby control the managed systems. It is considered that this is a missing segregation of duty for the SAP Solution Manager administrator. Impacts of unauthorized execution of commands can lead to sensitive information disclosure, loss of system integrity and denial of service. Solution Manager (Diagnostics ... • https://launchpad.support.sap.com/#/notes/3140940 •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-22546
https://notcve.org/view.php?id=CVE-2022-22546
09 Feb 2022 — Due to improper HTML encoding in input control summary, an authorized attacker can execute XSS vulnerability in SAP Business Objects Web Intelligence (BI Launchpad) - version 420. Debido a una codificación HTML inapropiada en el resumen del control de entrada, un atacante autorizado puede ejecutar una vulnerabilidad de tipo XSS en SAP Business Objects Web Intelligence (BI Launchpad) - versión 420 • https://launchpad.support.sap.com/#/notes/3126748 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •