CVSS: 9.9EPSS: 0%CPEs: 5EXPL: 0CVE-2021-21477
https://notcve.org/view.php?id=CVE-2021-21477
09 Feb 2021 — SAP Commerce Cloud, versions - 1808,1811,1905,2005,2011, enables certain users with required privileges to edit drools rules, an authenticated attacker with this privilege will be able to inject malicious code in the drools rules which when executed leads to Remote Code Execution vulnerability enabling the attacker to compromise the underlying host enabling him to impair confidentiality, integrity and availability of the application. SAP Commerce Cloud, versiones - 1808,1811,1905,2005,2011, permite a determ... • https://launchpad.support.sap.com/#/notes/3014121 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-21475
https://notcve.org/view.php?id=CVE-2021-21475
09 Feb 2021 — Under specific circumstances SAP Master Data Management, versions - 710, 710.750, allows an unauthorized attacker to exploit insufficient validation of path information provided by users, thus characters representing 'traverse to parent directory' are passed through to the file APIs. Due to this Directory Traversal vulnerability the attacker could read content of arbitrary files on the remote server and expose sensitive data. En circunstancias específicas, SAP Master Data Management, versiones - 710, 710.75... • https://launchpad.support.sap.com/#/notes/3000897 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-21472
https://notcve.org/view.php?id=CVE-2021-21472
09 Feb 2021 — SAP Software Provisioning Manager 1.0 (SAP NetWeaver Master Data Management Server 7.1) does not have an option to set password during its installation, this allows an authenticated attacker to perform various security attacks like Directory Traversal, Password Brute force Attack, SMB Relay attack, Security Downgrade. SAP Software Provisioning Manager versión 1.0 (SAP NetWeaver Master Data Management Server versión 7.1) no posee una opción para ajustar una contraseña durante su instalación, esto permite a u... • https://launchpad.support.sap.com/#/notes/2998173 • CWE-306: Missing Authentication for Critical Function •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2021-21469
https://notcve.org/view.php?id=CVE-2021-21469
12 Jan 2021 — When security guidelines for SAP NetWeaver Master Data Management running on windows have not been thoroughly reviewed, it might be possible for an external operator to try and set custom paths in the MDS server configuration. When no adequate protection has been enforced on any level (e.g., MDS Server password not set, network and OS configuration not properly secured, etc.), a malicious user might define UNC paths which could then be exploited to put the system at risk using a so-called SMB relay attack a... • https://launchpad.support.sap.com/#/notes/2993032 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.9EPSS: 2%CPEs: 11EXPL: 3CVE-2021-21466 – SAP Application Server ABAP / ABAP Platform Code Injection / SQL Injection / Missing Authorization
https://notcve.org/view.php?id=CVE-2021-21466
12 Jan 2021 — SAP Business Warehouse, versions 700, 701, 702, 711, 730, 731, 740, 750, 782 and SAP BW/4HANA, versions 100, 200, allow a low privileged attacker to inject code using a remote enabled function module over the network. Via the function module an attacker can create a malicious ABAP report which could be used to get access to sensitive data, to inject malicious UPDATE statements that could have also impact on the operating system, to disrupt the functionality of the SAP system which can thereby lead to a Deni... • https://packetstorm.news/files/id/167229 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.4EPSS: 0%CPEs: 5EXPL: 0CVE-2021-21445
https://notcve.org/view.php?id=CVE-2021-21445
12 Jan 2021 — SAP Commerce Cloud, versions - 1808, 1811, 1905, 2005, 2011, allows an authenticated attacker to include invalidated data in the HTTP response Content Type header, due to improper input validation, and sent to a Web user. A successful exploitation of this vulnerability may lead to advanced attacks, including cross-site scripting and page hijacking. SAP Commerce Cloud, versiones - 1808, 1811, 1905, 2005, 2011, permite a un atacante autenticado incluir datos invalidados en el encabezado Content Type de la res... • https://launchpad.support.sap.com/#/notes/2984034 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-21467
https://notcve.org/view.php?id=CVE-2021-21467
12 Jan 2021 — SAP Banking Services (Generic Market Data) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. An unauthorized User is allowed to display restricted Business Partner Generic Market Data (GMD), due to improper authorization check. SAP Banking Services (Generic Market Data) no llevan a cabo las comprobaciones de autorización necesarias para un usuario autenticado, resultando en una escalada de privilegios. Un Usuario no autorizado puede mostrar el ... • https://launchpad.support.sap.com/#/notes/3008422 • CWE-862: Missing Authorization •
CVSS: 4.4EPSS: 0%CPEs: 2EXPL: 0CVE-2021-21470
https://notcve.org/view.php?id=CVE-2021-21470
12 Jan 2021 — SAP EPM Add-in for Microsoft Office, version - 1010 and SAP EPM Add-in for SAP Analysis Office, version - 2.8, allows an authenticated attacker with user privileges to parse malicious XML files which could result in XXE-based attacks in applications that accept attacker-controlled XML configuration files. This occurs as logging service does not disable XML external entities when parsing configuration files and a successful exploit would result in limited impact on integrity and availability of the applicati... • https://launchpad.support.sap.com/#/notes/3000291 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 9.9EPSS: 0%CPEs: 12EXPL: 3CVE-2021-21465 – SAP Application Server ABAP / ABAP Platform Code Injection / SQL Injection / Missing Authorization
https://notcve.org/view.php?id=CVE-2021-21465
12 Jan 2021 — The BW Database Interface allows an attacker with low privileges to execute any crafted database queries, exposing the backend database. An attacker can include their own SQL commands which the database will execute without properly sanitizing the untrusted data leading to SQL injection vulnerability which can fully compromise the affected SAP system. La Interfaz de Base de Datos de BW permite a un atacante con pocos privilegios ejecutar cualquier consulta de la base de datos diseñada, exponiendo la base de... • https://packetstorm.news/files/id/167229 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 0%CPEs: 12EXPL: 3CVE-2021-21468 – SAP Application Server ABAP / ABAP Platform Code Injection / SQL Injection / Missing Authorization
https://notcve.org/view.php?id=CVE-2021-21468
12 Jan 2021 — The BW Database Interface does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges that allows the user to practically read out any database table. La interfaz de Base de Datos de BW no lleva a cabo las comprobaciones de autorización necesarias para un usuario autenticado, resultando en una escalada de privilegios que permite al usuario leer prácticamente cualquier tabla de la base de datos The SAP application server ABAP and ABAP Platform are suscepti... • https://packetstorm.news/files/id/167229 • CWE-862: Missing Authorization •