CVSS: 5.0EPSS: 0%CPEs: 3EXPL: 0CVE-2024-34689 – [CVE-2024-34689] Server-Side Request Forgery in SAP Business Workflow (WebFlow Services)
https://notcve.org/view.php?id=CVE-2024-34689
09 Jul 2024 — WebFlow Services of SAP Business Workflow allows an authenticated attacker to enumerate accessible HTTP endpoints in the internal network by specially crafting HTTP requests. On successful exploitation this can result in information disclosure. It has no impact on integrity and availability of the application. WebFlow Services de SAP Business Workflow permite a un atacante autenticado enumerar endpoints HTTP accesibles en la red interna mediante la elaboración especial de solicitudes HTTP. Si se explota con... • https://me.sap.com/notes/3458789 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.8EPSS: 0%CPEs: 7EXPL: 0CVE-2024-37175 – [Multiple CVEs] Multiple vulnerabilities in SAP CRM (WebClient UI)
https://notcve.org/view.php?id=CVE-2024-37175
09 Jul 2024 — SAP CRM WebClient does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges. This could allow an attacker to access some sensitive information. SAP CRM WebClient no realiza la verificación de autorización necesaria para un usuario autenticado, lo que resulta en una escalada de privilegios. Esto podría permitir que un atacante acceda a información confidencial. SAP CRM WebClient does not perform necessary authorization check for an authenticated user, res... • https://me.sap.com/notes/3467377 • CWE-862: Missing Authorization •
CVSS: 7.7EPSS: 0%CPEs: 7EXPL: 0CVE-2024-39598 – [Multiple CVEs] Multiple vulnerabilities in SAP CRM (WebClient UI)
https://notcve.org/view.php?id=CVE-2024-39598
09 Jul 2024 — SAP CRM (WebClient UI Framework) allows an authenticated attacker to enumerate accessible HTTP endpoints in the internal network by specially crafting HTTP requests. On successful exploitation this can result in information disclosure. It has no impact on integrity and availability of the application. SAP CRM (WebClient UI Framework) permite a un atacante autenticado enumerar endpoints HTTP accesibles en la red interna mediante la elaboración especial de solicitudes HTTP. Si se explota con éxito, esto puede... • https://me.sap.com/notes/3467377 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.4EPSS: 0%CPEs: 7EXPL: 0CVE-2024-37174 – [Multiple CVEs] Multiple vulnerabilities in SAP CRM (WebClient UI)
https://notcve.org/view.php?id=CVE-2024-37174
09 Jul 2024 — Custom CSS support option in SAP CRM WebClient UI does not sufficiently encode user-controlled inputs resulting in Cross-Site Scripting vulnerability. On successful exploitation an attacker can cause limited impact on confidentiality and integrity of the application. La opción de soporte CSS personalizado en la interfaz de usuario de SAP CRM WebClient no codifica suficientemente las entradas controladas por el usuario, lo que genera una vulnerabilidad de Cross Site Scripting. Si se explota con éxito, un ata... • https://me.sap.com/notes/3467377 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 7EXPL: 0CVE-2024-37173 – [Multiple CVEs] Multiple vulnerabilities in SAP CRM (WebClient UI)
https://notcve.org/view.php?id=CVE-2024-37173
09 Jul 2024 — Due to insufficient input validation, SAP CRM WebClient UI allows an unauthenticated attacker to craft a URL link which embeds a malicious script. When a victim clicks on this link, the script will be executed in the victim's browser giving the attacker the ability to access and/or modify information with no effect on availability of the application. Debido a una validación de entrada insuficiente, la interfaz de usuario de SAP CRM WebClient permite que un atacante no autenticado cree un enlace URL que inco... • https://me.sap.com/notes/3467377 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-39593 – [CVE-2024-39593] Information Disclosure vulnerability in SAP Landscape Management
https://notcve.org/view.php?id=CVE-2024-39593
09 Jul 2024 — SAP Landscape Management allows an authenticated user to read confidential data disclosed by the REST Provider Definition response. Successful exploitation can cause high impact on confidentiality of the managed entities. SAP Landscape Management permite a un usuario autenticado leer datos confidenciales revelados por la respuesta de Provider Definition REST. La explotación exitosa puede causar un gran impacto en la confidencialidad de las entidades gestionadas. SAP Landscape Management allows an authentica... • https://me.sap.com/notes/3466801 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.7EPSS: 0%CPEs: 3EXPL: 0CVE-2024-39592 – [CVE-2024-39592] Missing Authorization check in SAP PDCE
https://notcve.org/view.php?id=CVE-2024-39592
09 Jul 2024 — Elements of PDCE does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This allows an attacker to read sensitive information causing high impact on the confidentiality of the application. Elements of PDCE no realiza las verificaciones de autorización necesarias para un usuario autenticado, lo que resulta en una escalada de privilegios. Esto permite a un atacante leer información confidencial causando un alto impacto en la confidencialidad de la apl... • https://me.sap.com/notes/3483344 • CWE-862: Missing Authorization •
CVSS: 6.8EPSS: 0%CPEs: 6EXPL: 0CVE-2024-34691 – Missing Authorization check in SAP S/4HANA (Manage Incoming Payment Files)
https://notcve.org/view.php?id=CVE-2024-34691
11 Jun 2024 — Manage Incoming Payment Files (F1680) of SAP S/4HANA does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. As a result, it has high impact on integrity and no impact on the confidentiality and availability of the system. Administrar archivos de pagos entrantes (F1680) de SAP S/4HANA no realiza las verificaciones de autorización necesarias para un usuario autenticado, lo que resulta en una escalada de privilegios. Como resultado, tiene un alto impac... • https://me.sap.com/notes/3466175 • CWE-862: Missing Authorization •
CVSS: 6.0EPSS: 0%CPEs: 3EXPL: 0CVE-2024-34684 – Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Scheduling)
https://notcve.org/view.php?id=CVE-2024-34684
11 Jun 2024 — On Unix, SAP BusinessObjects Business Intelligence Platform (Scheduling) allows an authenticated attacker with administrator access on the local server to access the password of a local account. As a result, an attacker can obtain non-administrative user credentials, which will allow them to read or modify the remote server files. En Unix, SAP BusinessObjects Business Intelligence Platform (Scheduling) permite que un atacante autenticado con acceso de administrador en el servidor local acceda a la contraseñ... • https://me.sap.com/notes/3441817 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2024-34690 – Missing Authorization check in SAP Student Life Cycle Management (SLcM)
https://notcve.org/view.php?id=CVE-2024-34690
11 Jun 2024 — SAP Student Life Cycle Management (SLcM) fails to conduct proper authorization checks for authenticated users, leading to the potential escalation of privileges. On successful exploitation it could allow an attacker to access and edit non-sensitive report variants that are typically restricted, causing minimal impact on the confidentiality and integrity of the application. SAP Student Life Cycle Management (SLcM) no realiza comprobaciones de autorización adecuadas para los usuarios autenticados, lo que gene... • https://me.sap.com/notes/3457265 • CWE-862: Missing Authorization •