CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-22528
https://notcve.org/view.php?id=CVE-2022-22528
09 Feb 2022 — SAP Adaptive Server Enterprise (ASE) - version 16.0, installation makes an entry in the system PATH environment variable in Windows platform which, under certain conditions, allows a Standard User to execute malicious Windows binaries which may lead to privilege escalation on the local system. The issue is with the ASE installer and does not impact other ASE binaries. La instalación de SAP Adaptive Server Enterprise (ASE) - versión 16.0, hace una entrada en la variable de entorno PATH del sistema en la plat... • https://launchpad.support.sap.com/#/notes/3140564 • CWE-427: Uncontrolled Search Path Element •
CVSS: 9.8EPSS: 1%CPEs: 9EXPL: 0CVE-2022-22532
https://notcve.org/view.php?id=CVE-2022-22532
09 Feb 2022 — In SAP NetWeaver Application Server Java - versions KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC, 7.22, 7.22EXT, 7.49, 7.53, KERNEL 7.22, 7.49, 7.53, an unauthenticated attacker could submit a crafted HTTP server request which triggers improper shared memory buffer handling. This could allow the malicious payload to be executed and hence execute functions that could be impersonating the victim or even steal the victim's logon session. En SAP NetWeaver Application Server Java - versiones KRNL64NUC 7.22, 7.22EXT, ... • https://launchpad.support.sap.com/#/notes/3123427 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 4.3EPSS: 0%CPEs: 28EXPL: 0CVE-2021-42067
https://notcve.org/view.php?id=CVE-2021-42067
14 Jan 2022 — In SAP NetWeaver AS for ABAP and ABAP Platform - versions 701, 702, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 786, an attacker authenticated as a regular user can use the S/4 Hana dashboard to reveal systems and services which they would not normally be allowed to see. No information alteration or denial of service is possible. En SAP NetWeaver AS for ABAP y ABAP Platform - versiones 701, 702, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 786, un atacante autenticado como usuario norma... • https://launchpad.support.sap.com/#/notes/3112710 •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-22529
https://notcve.org/view.php?id=CVE-2022-22529
14 Jan 2022 — SAP Enterprise Threat Detection (ETD) - version 2.0, does not sufficiently encode user-controlled inputs which may lead to an unauthorized attacker possibly exploit XSS vulnerability. The UIs in ETD are using SAP UI5 standard controls, the UI5 framework provides automated output encoding for its standard controls. This output encoding prevents stored malicious user input from being executed when it is reflected in the UI. SAP Enterprise Threat Detection (ETD) - versión 2.0, no codifica suficientemente las e... • https://launchpad.support.sap.com/#/notes/3124597 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 7EXPL: 0CVE-2022-22531
https://notcve.org/view.php?id=CVE-2022-22531
14 Jan 2022 — The F0743 Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, does not check uploaded or downloaded files. This allows an attacker with basic user rights to run arbitrary script code, resulting in sensitive information being disclosed or modified. La aplicación F0743 Create Single Payment de SAP S/4HANA - versiones 100, 101, 102, 103, 104, 105, 106, no comprueba los archivos cargados o descargados. Esto permite a un atacante con derechos de usuario básicos ejecutar... • https://launchpad.support.sap.com/#/notes/3112928 •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-44234
https://notcve.org/view.php?id=CVE-2021-44234
14 Jan 2022 — SAP Business One - version 10.0, extended log stores information that can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information. SAP Business One - versión 10.0, el registro extendido almacena información que puede ser de naturaleza confidencial y dar una valiosa orientación a un atacante o exponer información confidencial del usuario • https://launchpad.support.sap.com/#/notes/3106528 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 8.1EPSS: 0%CPEs: 7EXPL: 0CVE-2022-22530
https://notcve.org/view.php?id=CVE-2022-22530
14 Jan 2022 — The F0743 Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, does not check uploaded or downloaded files. This allows an attacker with basic user rights to inject dangerous content or malicious code which could result in critical information being modified or completely compromise the availability of the application. La aplicación F0743 Create Single Payment de SAP S/4HANA - versiones 100, 101, 102, 103, 104, 105, 106, no comprueba los archivos cargados o descarga... • https://launchpad.support.sap.com/#/notes/3112928 •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2021-42061
https://notcve.org/view.php?id=CVE-2021-42061
14 Dec 2021 — SAP BusinessObjects Business Intelligence Platform (Web Intelligence) - version 420, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. This allows a low privileged attacker to retrieve some data from the victim but will never be able to modify the document and publish these modifications to the server. It impacts the "Quick Prompt" workflow. SAP BusinessObjects Business Intelligence Platform (Web Intelligence) - versión 420, no codifica suficientemen... • https://launchpad.support.sap.com/#/notes/3103677 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-42068
https://notcve.org/view.php?id=CVE-2021-42068
14 Dec 2021 — When a user opens a manipulated GIF (.gif) file received from untrusted sources in SAP 3D Visual Enterprise Viewer - version 9.0, the application crashes and becomes temporarily unavailable to the user until restart of the application. Cuando un usuario abre un archivo GIF (.gif) manipulado recibido de fuentes no confiables en SAP 3D Visual Enterprise Viewer - versión 9.0, la aplicación se bloquea y deja de estar disponible temporalmente para el usuario hasta que se reinicie la aplicación • https://launchpad.support.sap.com/#/notes/3121165 • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2021-42064
https://notcve.org/view.php?id=CVE-2021-42064
14 Dec 2021 — If configured to use an Oracle database and if a query is created using the flexible search java api with a parameterized "in" clause, SAP Commerce - versions 1905, 2005, 2105, 2011, allows attacker to execute crafted database queries, exposing backend database. The vulnerability is present if the parameterized "in" clause accepts more than 1000 values. Si es configurado para usar una base de datos Oracle y si se crea una consulta usando la api java de búsqueda flexible con una cláusula "in" parametrizada, ... • https://launchpad.support.sap.com/#/notes/3114134 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •