CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2021-42064
https://notcve.org/view.php?id=CVE-2021-42064
14 Dec 2021 — If configured to use an Oracle database and if a query is created using the flexible search java api with a parameterized "in" clause, SAP Commerce - versions 1905, 2005, 2105, 2011, allows attacker to execute crafted database queries, exposing backend database. The vulnerability is present if the parameterized "in" clause accepts more than 1000 values. Si es configurado para usar una base de datos Oracle y si se crea una consulta usando la api java de búsqueda flexible con una cláusula "in" parametrizada, ... • https://launchpad.support.sap.com/#/notes/3114134 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-42069 – SAP 3D Visual Enterprise Viewer JT File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2021-42069
14 Dec 2021 — When a user opens manipulated Tagged Image File Format (.tif) file received from untrusted sources in SAP 3D Visual Enterprise Viewer - version 9.0, the application crashes and becomes temporarily unavailable to the user until restart of the application Cuando un usuario abre un archivo manipulado Tagged Image File Format (.tif) recibido de fuentes no confiables en SAP 3D Visual Enterprise Viewer - versión 9.0, la aplicación se bloquea y deja de estar disponible temporalmente para el usuario hasta que se re... • https://launchpad.support.sap.com/#/notes/3121165 • CWE-787: Out-of-bounds Write •
CVSS: 4.4EPSS: 0%CPEs: 1EXPL: 0CVE-2021-42066
https://notcve.org/view.php?id=CVE-2021-42066
14 Dec 2021 — SAP Business One - version 10.0, allows an admin user to view DB password in plain text over the network, which should otherwise be encrypted. For an attacker to discover vulnerable function in-depth application knowledge is required, but once exploited the attacker may be able to completely compromise confidentiality, integrity, and availability of the application. SAP Business One - versión 10.0, permite a un usuario administrador ver la contraseña de la base de datos en texto plano a través de la red, qu... • https://launchpad.support.sap.com/#/notes/3101299 • CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 6.1EPSS: 42%CPEs: 4EXPL: 2CVE-2021-42063 – SAP Knowledge Warehouse 7.50 / 7.40 / 7.31 / 7.30 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2021-42063
14 Dec 2021 — A security vulnerability has been discovered in the SAP Knowledge Warehouse - versions 7.30, 7.31, 7.40, 7.50. The usage of one SAP KW component within a Web browser enables unauthorized attackers to conduct XSS attacks, which might lead to disclose sensitive data. Se ha detectado una vulnerabilidad de seguridad en SAP Knowledge Warehouse - versiones 7.30, 7.31, 7.40, 7.50. El uso de un componente de SAP KW dentro de un navegador web permite a atacantes no autorizados llevar a cabo ataques de tipo XSS, lo q... • https://packetstorm.news/files/id/166369 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.7EPSS: 0%CPEs: 14EXPL: 0CVE-2021-44232
https://notcve.org/view.php?id=CVE-2021-44232
14 Dec 2021 — SAF-T Framework Transaction SAFTN_G allows an attacker to exploit insufficient validation of path information provided by normal user, leading to full server directory access. The attacker can see the whole filesystem structure but cannot overwrite, delete, or corrupt arbitrary files on the server. SAF-T Framework Transaction SAFTN_G permite a un atacante explotar una comprobación insuficiente de la información de la ruta proporcionada por el usuario normal, conllevando a un acceso completo al directorio de... • https://launchpad.support.sap.com/#/notes/3124094 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.2EPSS: 0%CPEs: 15EXPL: 0CVE-2021-44235
https://notcve.org/view.php?id=CVE-2021-44235
14 Dec 2021 — Two methods of a utility class in SAP NetWeaver AS ABAP - versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, allow an attacker with high privileges and has direct access to SAP System, to inject code when executing with a certain transaction class builder. This could allow execution of arbitrary commands on the operating system, that could highly impact the Confidentiality, Integrity and Availability of the system. Dos métodos de una clase de utilidad en SAP NetWeaver AS ABA... • https://launchpad.support.sap.com/#/notes/3123196 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2021-44233
https://notcve.org/view.php?id=CVE-2021-44233
14 Dec 2021 — SAP GRC Access Control - versions V1100_700, V1100_731, V1200_750, does not perform necessary authorization checks for an authenticated user, which could lead to escalation of privileges. SAP GRC Access Control - versiones V1100_700, V1100_731, V1200_750, no lleva a cabo las comprobaciones de autorización necesarias para un usuario autenticado, lo que podría conllevar a una escalada de privilegios • https://launchpad.support.sap.com/#/notes/3080816 • CWE-862: Missing Authorization •
CVSS: 9.8EPSS: 0%CPEs: 20EXPL: 0CVE-2021-44231
https://notcve.org/view.php?id=CVE-2021-44231
14 Dec 2021 — Internally used text extraction reports allow an attacker to inject code that can be executed by the application. An attacker could thereby control the behavior of the application. Los informes de extracción de texto usados internamente permiten a un atacante inyectar código que puede ser ejecutado por la aplicación. Un atacante podría así controlar el comportamiento de la aplicación • https://launchpad.support.sap.com/#/notes/3119365 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2021-42062
https://notcve.org/view.php?id=CVE-2021-42062
10 Nov 2021 — SAP ERP HCM Portugal does not perform necessary authorization checks for a report that reads the payroll data of employees in a certain area. Since the affected report only reads the payroll information, the attacker can neither modify any information nor cause availability impacts. SAP ERP HCM Portugal no lleva a cabo las comprobaciones de autorización necesarias para un informe que lee los datos de las nóminas de los empleados de un área determinada. Como el informe afectado sólo lee la información de la ... • https://launchpad.support.sap.com/#/notes/3104456 • CWE-862: Missing Authorization •
CVSS: 4.9EPSS: 0%CPEs: 15EXPL: 0CVE-2021-40504
https://notcve.org/view.php?id=CVE-2021-40504
10 Nov 2021 — A certain template role in SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, contains transport authorizations, which exceed expected display only permissions. Un determinado rol de plantilla en SAP NetWeaver Application Server para ABAP y ABAP Platform - versiones 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, contiene autorizaciones de transporte, que exceden los permisos esperados d... • https://launchpad.support.sap.com/#/notes/3105728 • CWE-863: Incorrect Authorization •