CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-35293
https://notcve.org/view.php?id=CVE-2022-35293
Due to insecure session management, SAP Enable Now allows an unauthenticated attacker to gain access to user's account. On successful exploitation, an attacker can view or modify user data causing limited impact on confidentiality and integrity of the application. Debido a una administración insegura de la sesión, SAP Enable Now permite a un atacante no autenticado obtener acceso a la cuenta del usuario. Si es explotado con éxito, un atacante puede visualizar o modificar los datos del usuario causando un impacto limitado en la confidencialidad e integridad de la aplicación • https://launchpad.support.sap.com/#/notes/3210566 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-862: Missing Authorization •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-35290
https://notcve.org/view.php?id=CVE-2022-35290
Under certain conditions SAP Authenticator for Android allows an attacker to access information which would otherwise be restricted. En determinadas condiciones, SAP Authenticator para Android permite a un atacante acceder a información que de otro modo estaría restringida • https://launchpad.support.sap.com/#/notes/3216653 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 0CVE-2022-35291 – Privilege escalation vulnerability in SAP SuccessFactors attachment API for Mobile Application(Android & iOS)
https://notcve.org/view.php?id=CVE-2022-35291
Due to misconfigured application endpoints, SAP SuccessFactors attachment APIs allow attackers with user privileges to perform activities with admin privileges over the network. These APIs were consumed in the SF Mobile application for Time Off, Time Sheet, EC Workflow, and Benefits. On successful exploitation, the attacker can read/write attachments. Thus, compromising the confidentiality and integrity of the application Debido a los endpoints de la aplicación configurados inapropiadamente, las APIs de adjuntos de SAP SuccessFactors permiten a atacantes privilegiados de usuario llevar a cabo actividades con privilegios de administrador a través de la red. Estas APIs fueron consumidas en la aplicación SF Mobile para Time Off, Time Sheet, EC Workflow y Benefits. • https://launchpad.support.sap.com/#/notes/3226411 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-269: Improper Privilege Management •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-32249
https://notcve.org/view.php?id=CVE-2022-32249
Under special integration scenario of SAP Business one and SAP HANA - version 10.0, an attacker can exploit HANA cockpit�s data volume to gain access to highly sensitive information (e.g., high privileged account credentials) En un escenario especial de integración de SAP Business One y SAP HANA - versión 10.0, un atacante puede explotar el volumen de datos del cockpit de HANA para acceder a información altamente confidencial (por ejemplo, credenciales de cuentas con altos privilegios) • https://launchpad.support.sap.com/#/notes/3212997 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 6.1EPSS: 0%CPEs: 7EXPL: 0CVE-2022-35224
https://notcve.org/view.php?id=CVE-2022-35224
SAP Enterprise Portal - versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. This attack can be used to non-permanently deface or modify portal content. The execution of script content by a victim registered on the portal could compromise the confidentiality and integrity of victim�s web browser session. SAP Enterprise Portal - versiones 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, no codifica suficientemente las entradas controladas por el usuario, resultando en una vulnerabilidad de tipo Cross-Site Scripting (XSS). Este ataque puede usarse para desfigurar o modificar de forma no permanente el contenido del portal. • https://launchpad.support.sap.com/#/notes/3210779 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •