CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-33692
https://notcve.org/view.php?id=CVE-2021-33692
15 Sep 2021 — SAP Cloud Connector, version - 2.0, allows the upload of zip files as backup. This backup file can be tricked to inject special elements such as '..' and '/' separators, for attackers to escape outside of the restricted location to access files or directories. SAP Cloud Connector, versión - 2.0, permite la carga de archivos zip como copia de seguridad. Este archivo de copia de seguridad puede ser engañado para inyectar elementos especiales como los separadores ".." y "/", para que los atacantes escapen fuer... • https://launchpad.support.sap.com/#/notes/3058553 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2021-33696
https://notcve.org/view.php?id=CVE-2021-33696
15 Sep 2021 — SAP BusinessObjects Business Intelligence Platform (Crystal Report), versions - 420, 430, does not sufficiently encode user controlled inputs and therefore an authorized attacker can exploit a XSS vulnerability, leading to non-permanently deface or modify displayed content from a Web site. SAP BusinessObjects Business Intelligence Platform (Crystal Report), versiones - 420, 430, no codifica suficientemente las entradas controladas por el usuario y, por lo tanto, un atacante autorizado puede explotar una vul... • https://launchpad.support.sap.com/#/notes/3062085 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.9EPSS: 53%CPEs: 6EXPL: 1CVE-2021-33690
https://notcve.org/view.php?id=CVE-2021-33690
15 Sep 2021 — Server-Side Request Forgery (SSRF) vulnerability has been detected in the SAP NetWeaver Development Infrastructure Component Build Service versions - 7.11, 7.20, 7.30, 7.31, 7.40, 7.50The SAP NetWeaver Development Infrastructure Component Build Service allows a threat actor who has access to the server to perform proxy attacks on server by sending crafted queries. Due to this, the threat actor could completely compromise sensitive data residing on the Server and impact its availability.Note: The impact of t... • https://github.com/redrays-io/CVE-2021-33690 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-38174
https://notcve.org/view.php?id=CVE-2021-38174
14 Sep 2021 — When a user opens manipulated files received from untrusted sources in SAP 3D Visual Enterprise Viewer version - 9, the application crashes and becomes temporarily unavailable to the user until restart of the application. Cuando un usuario abre archivos manipulados recibidos de fuentes no confiables en SAP 3D Visual Enterprise Viewer versión - 9, la aplicación se bloquea y queda temporalmente no disponible para el usuario hasta el reinicio de la aplicación • https://launchpad.support.sap.com/#/notes/3087791 •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-33688
https://notcve.org/view.php?id=CVE-2021-33688
14 Sep 2021 — SAP Business One allows an attacker with business privileges to execute crafted database queries, exposing the back-end database. Due to framework restrictions, only some information can be obtained. SAP Business One permite a un atacante con privilegios empresariales ejecutar consultas de base de datos diseñadas, exponiendo la base de datos del back-end. Debido a las restricciones del framework, sólo se puede conseguir cierta información • https://launchpad.support.sap.com/#/notes/3069882 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-33686
https://notcve.org/view.php?id=CVE-2021-33686
14 Sep 2021 — Under certain conditions, SAP Business One version - 10.0, allows an unauthorized attacker to get access to some encrypted sensitive information, but does not have control over kind or degree. Bajo ciertas condiciones, SAP Business One versión - 10.0, permite a un atacante no autorizado conseguir acceso a alguna información confidencial encriptada, pero no presenta control sobre el tipo o el grado • https://launchpad.support.sap.com/#/notes/3070138 •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-33674
https://notcve.org/view.php?id=CVE-2021-33674
14 Sep 2021 — Under certain conditions, SAP Contact Center - version 700, does not sufficiently encode user-controlled inputs. This allows an attacker to exploit a Reflected Cross-Site Scripting (XSS) vulnerability when creating a new email and to execute arbitrary code on the victim's browser. En determinadas condiciones, SAP Contact Center - versión 700, no codifica suficientemente las entradas controladas por el usuario. Esto permite a un atacante explotar una vulnerabilidad de tipo Cross-Site Scripting (XSS) Reflejad... • https://launchpad.support.sap.com/#/notes/3073891 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 4%CPEs: 1EXPL: 0CVE-2021-38177 – SAP CommonCryptoLib Null Pointer Dereference
https://notcve.org/view.php?id=CVE-2021-38177
14 Sep 2021 — SAP CommonCryptoLib version 8.5.38 or lower is vulnerable to null pointer dereference vulnerability when an unauthenticated attacker sends crafted malicious data in the HTTP requests over the network, this causes the SAP application to crash and has high impact on the availability of the SAP system. SAP CommonCryptoLib versión 8.5.38 o inferior, es vulnerable a una vulnerabilidad de desreferencia de puntero null cuando un atacante no autenticado envía datos maliciosos diseñados en las peticiones HTTP a trav... • http://packetstormsecurity.com/files/165749/SAP-CommonCryptoLib-Null-Pointer-Dereference.html • CWE-476: NULL Pointer Dereference •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-33685
https://notcve.org/view.php?id=CVE-2021-33685
14 Sep 2021 — SAP Business One version - 10.0 allows low-level authorized attacker to traverse the file system to access files or directories that are outside of the restricted directory. A successful attack allows access to high level sensitive data SAP Business One versión - 10.0 permite a un atacante autorizado de bajo nivel saltar el sistema de archivos para acceder a archivos o directorios que están fuera del directorio restringido. Un ataque con éxito permite el acceso a datos confidenciales de alto nivel • https://launchpad.support.sap.com/#/notes/3069032 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 0CVE-2021-33672
https://notcve.org/view.php?id=CVE-2021-33672
14 Sep 2021 — Due to missing encoding in SAP Contact Center's Communication Desktop component- version 700, an attacker could send malicious script in chat message. When the message is accepted by the chat recipient, the script gets executed in their scope. Due to the usage of ActiveX in the application, the attacker can further execute operating system level commands in the chat recipient's scope. This could lead to a complete compromise of their confidentiality, integrity, and could temporarily impact their availabilit... • https://launchpad.support.sap.com/#/notes/3073891 • CWE-116: Improper Encoding or Escaping of Output •