CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-31405 – Log Injection vulnerability in SAP NetWeaver AS for Java (Log Viewer)
https://notcve.org/view.php?id=CVE-2023-31405
SAP NetWeaver AS for Java - versions ENGINEAPI 7.50, SERVERCORE 7.50, J2EE-APPS 7.50, allows an unauthenticated attacker to craft a request over the network which can result in unwarranted modifications to a system log without user interaction. There is no ability to view any information or any effect on availability. • https://me.sap.com/notes/3324732 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-117: Improper Output Neutralization for Logs •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-30744 – Improper access control during application start-up in SAP AS NetWeaver JAVA.
https://notcve.org/view.php?id=CVE-2023-30744
In SAP AS NetWeaver JAVA - versions SERVERCORE 7.50, J2EE-FRMW 7.50, CORE-TOOLS 7.50, an unauthenticated attacker can attach to an open interface and make use of an open naming and directory API to instantiate an object which has methods which can be called without further authorization and authentication. A subsequent call to one of these methods can read or change the state of existing services without any effect on availability. • https://launchpad.support.sap.com/#/notes/3317453 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-306: Missing Authentication for Critical Function •
CVSS: 6.5EPSS: 0%CPEs: 10EXPL: 0CVE-2023-28763 – Denial of Service in SAP NetWeaver AS for ABAP and ABAP Platform
https://notcve.org/view.php?id=CVE-2023-28763
SAP NetWeaver AS for ABAP and ABAP Platform - versions 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, allows an attacker authenticated as a non-administrative user to craft a request with certain parameters which can consume the server's resources sufficiently to make it unavailable over the network without any user interaction. • https://launchpad.support.sap.com/#/notes/3296378 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.1EPSS: 0%CPEs: 11EXPL: 0CVE-2023-27499 – Cross-Site Scripting (XSS) vulnerability in SAP GUI for HTML
https://notcve.org/view.php?id=CVE-2023-27499
SAP GUI for HTML - versions KERNEL 7.22, 7.53, 7.54, 7.77, 7.81, 7.85, 7.89, 7.91, KRNL64UC, 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT does not sufficiently encode user-controlled inputs, resulting in a reflected Cross-Site Scripting (XSS) vulnerability. An attacker could craft a malicious URL and lure the victim to click, the script supplied by the attacker will execute in the victim user's browser. The information from the victim's web browser can either be modified or read and sent to the attacker. • https://launchpad.support.sap.com/#/notes/3275458 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.6EPSS: 0%CPEs: 14EXPL: 0CVE-2023-27501 – Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform
https://notcve.org/view.php?id=CVE-2023-27501
SAP NetWeaver AS for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, allows an attacker to exploit insufficient validation of path information provided by users, thus exploiting a directory traversal flaw in an available service to delete system files. In this attack, no data can be read but potentially critical OS files can be deleted making the system unavailable, causing significant impact on both availability and integrity • https://launchpad.support.sap.com/#/notes/3294954 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •