CVSS: 9.9EPSS: 0%CPEs: -EXPL: 0CVE-2025-31330 – Code Injection Vulnerability in SAP Landscape Transformation (Analysis Platform)
https://notcve.org/view.php?id=CVE-2025-31330
08 Apr 2025 — SAP Landscape Transformation (SLT) allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system. SAP Landscape Transformation (SLT) permite a un atacante con privilegios de usua... • https://me.sap.com/notes/3587115 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.7EPSS: 0%CPEs: 3EXPL: 0CVE-2025-30013 – Code Injection vulnerability in SAP ERP BW Business Content
https://notcve.org/view.php?id=CVE-2025-30013
08 Apr 2025 — SAP ERP BW Business Content is vulnerable to OS Command Injection through certain function modules. These function modules, when executed with elevated privileges, improperly handle user input, allowing attacker to inject arbitrary OS commands. This vulnerability allows the execution of unintended commands on the underlying system, posing a significant security risk to the confidentiality, integrity and availability of the application. SAP ERP BW Business Content es vulnerable a la inyección de comandos del... • https://me.sap.com/notes/3571093 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.9EPSS: 0%CPEs: 6EXPL: 0CVE-2025-27429 – Code Injection Vulnerability in SAP S/4HANA (Private Cloud)
https://notcve.org/view.php?id=CVE-2025-27429
08 Apr 2025 — SAP S/4HANA allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system. SAP S/4HANA permite a un atacante con privilegios de usuario explotar una vulnerabilidad en el módulo d... • https://me.sap.com/notes/3581961 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-23186 – Mixed Dynamic RFC Destination vulnerability through Remote Function Call (RFC) in SAP NetWeaver Application Server ABAP
https://notcve.org/view.php?id=CVE-2025-23186
08 Apr 2025 — In certain conditions, SAP NetWeaver Application Server ABAP allows an authenticated attacker to craft a Remote Function Call (RFC) request to restricted destinations, which can be used to expose credentials for a remote service. These credentials can then be further exploited to completely compromise the remote service, potentially resulting in a significant impact on the confidentiality, integrity, and availability of the application. En ciertas circunstancias, SAP NetWeaver Application Server ABAP permit... • https://me.sap.com/notes/3554667 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2025-3397 – YzmCMS message.tpl cross site scripting
https://notcve.org/view.php?id=CVE-2025-3397
08 Apr 2025 — A vulnerability classified as problematic has been found in YzmCMS 7.1. Affected is an unknown function of the file message.tpl. The manipulation of the argument gourl leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. • https://vuldb.com/?ctiid.303642 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.1EPSS: 0%CPEs: -EXPL: 1CVE-2025-3393 – mrcen springboot-ucan-admin Personal Settings Interface index cross site scripting
https://notcve.org/view.php?id=CVE-2025-3393
08 Apr 2025 — A vulnerability was found in mrcen springboot-ucan-admin up to 5f35162032cbe9288a04e429ef35301545143509. It has been classified as problematic. This affects an unknown part of the file /ucan-admin/index of the component Personal Settings Interface. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. • https://gitee.com/mrcen/springboot-ucan-admin/issues/IBT2W5 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.1EPSS: 0%CPEs: -EXPL: 1CVE-2025-3392 – hailey888 oa_system Backend MailController.java save cross site scripting
https://notcve.org/view.php?id=CVE-2025-3392
08 Apr 2025 — A vulnerability was found in hailey888 oa_system up to 2025.01.01 and classified as problematic. Affected by this issue is the function Save of the file cn/gson/oasys/controller/mail/MailController.java of the component Backend. The manipulation of the argument MailNumberId leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. • https://gitee.com/hailey888/oa_system/issues/IBRQZ9 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.1EPSS: 0%CPEs: -EXPL: 1CVE-2025-3391 – hailey888 oa_system Backend AddrController. java outAddress cross site scripting
https://notcve.org/view.php?id=CVE-2025-3391
08 Apr 2025 — A vulnerability has been found in hailey888 oa_system up to 2025.01.01 and classified as problematic. Affected by this vulnerability is the function outAddress of the file cn/gson/oass/controller/address/AddrController. java of the component Backend. The manipulation of the argument outtype leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. • https://gitee.com/hailey888/oa_system/issues/IBRRX3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.1EPSS: 0%CPEs: -EXPL: 1CVE-2025-3390 – hailey888 oa_system Backend DaymanageController.java addandchangeday cross site scripting
https://notcve.org/view.php?id=CVE-2025-3390
08 Apr 2025 — A vulnerability, which was classified as problematic, was found in hailey888 oa_system up to 2025.01.01. Affected is the function addandchangeday of the file cn/gson/oass/controller/daymanager/DaymanageController.java of the component Backend. The manipulation of the argument scheduleList leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. • https://gitee.com/hailey888/oa_system/issues/IBRRZX • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.1EPSS: 0%CPEs: -EXPL: 1CVE-2025-3389 – hailey888 oa_system Backend InformManageController.java testMess cross site scripting
https://notcve.org/view.php?id=CVE-2025-3389
07 Apr 2025 — A vulnerability, which was classified as problematic, has been found in hailey888 oa_system up to 2025.01.01. This issue affects the function testMess of the file cn/gson/oasys/controller/inform/InformManageController.java of the component Backend. The manipulation of the argument menu leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. • https://gitee.com/hailey888/oa_system/issues/IBRQXH • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •