CVSS: 6.0EPSS: 0%CPEs: 3EXPL: 0CVE-2024-34684 – Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Scheduling)
https://notcve.org/view.php?id=CVE-2024-34684
11 Jun 2024 — On Unix, SAP BusinessObjects Business Intelligence Platform (Scheduling) allows an authenticated attacker with administrator access on the local server to access the password of a local account. As a result, an attacker can obtain non-administrative user credentials, which will allow them to read or modify the remote server files. En Unix, SAP BusinessObjects Business Intelligence Platform (Scheduling) permite que un atacante autenticado con acceso de administrador en el servidor local acceda a la contraseñ... • https://me.sap.com/notes/3441817 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2024-34690 – Missing Authorization check in SAP Student Life Cycle Management (SLcM)
https://notcve.org/view.php?id=CVE-2024-34690
11 Jun 2024 — SAP Student Life Cycle Management (SLcM) fails to conduct proper authorization checks for authenticated users, leading to the potential escalation of privileges. On successful exploitation it could allow an attacker to access and edit non-sensitive report variants that are typically restricted, causing minimal impact on the confidentiality and integrity of the application. SAP Student Life Cycle Management (SLcM) no realiza comprobaciones de autorización adecuadas para los usuarios autenticados, lo que gene... • https://me.sap.com/notes/3457265 • CWE-862: Missing Authorization •
CVSS: 5.5EPSS: 0%CPEs: 12EXPL: 0CVE-2024-37176 – Missing Authorization check in SAP BW/4HANA Transformation and DTP
https://notcve.org/view.php?id=CVE-2024-37176
11 Jun 2024 — SAP BW/4HANA Transformation and Data Transfer Process (DTP) allows an authenticated attacker to gain higher access levels than they should have by exploiting improper authorization checks. This results in escalation of privileges. It has no impact on the confidentiality of data but may have low impacts on the integrity and availability of the application. El proceso de transformación y transferencia de datos (DTP) de SAP BW/4HANA permite que un atacante autenticado obtenga niveles de acceso más altos de los... • https://me.sap.com/notes/3465455 • CWE-862: Missing Authorization •
CVSS: 6.4EPSS: 0%CPEs: 14EXPL: 0CVE-2024-34686 – Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI)
https://notcve.org/view.php?id=CVE-2024-34686
11 Jun 2024 — Due to insufficient input validation, SAP CRM WebClient UI allows an unauthenticated attacker to craft a URL link which embeds a malicious script. When a victim clicks on this link, the script will be executed in the victim's browser giving the attacker the ability to access and/or modify information with no effect on availability of the application. Debido a una validación de entrada insuficiente, la interfaz de usuario de SAP CRM WebClient permite que un atacante no autenticado cree un enlace URL que inco... • https://me.sap.com/notes/3465129 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 11EXPL: 0CVE-2024-34683 – Unrestricted file upload in SAP Document Builder (HTTP service)
https://notcve.org/view.php?id=CVE-2024-34683
11 Jun 2024 — An authenticated attacker can upload malicious file to SAP Document Builder service. When the victim accesses this file, the attacker is allowed to access, modify, or make the related information unavailable in the victim’s browser. Un atacante autenticado puede cargar un archivo malicioso en el servicio SAP Document Builder. Cuando la víctima accede a este archivo, el atacante puede acceder, modificar o hacer que la información relacionada no esté disponible en el navegador de la víctima. An authenticated ... • https://me.sap.com/notes/3459379 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-33001 – Denial of service (DOS) in SAP NetWeaver and ABAP platform
https://notcve.org/view.php?id=CVE-2024-33001
11 Jun 2024 — SAP NetWeaver and ABAP platform allows an attacker to impede performance for legitimate users by crashing or flooding the service. An impact of this Denial of Service vulnerability might be long response delays and service interruptions, thus degrading the service quality experienced by legitimate users causing high impact on availability of the application. La plataforma SAP NetWeaver y ABAP permite a un atacante impedir el rendimiento de usuarios legítimos bloqueando o inundando el servicio. Un impacto de... • https://me.sap.com/notes/3453170 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37178 – Cross-Site Scripting (XSS) vulnerabilities in SAP Financial Consolidation
https://notcve.org/view.php?id=CVE-2024-37178
11 Jun 2024 — SAP Financial Consolidation does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. These endpoints are exposed over the network. The vulnerability can exploit resources beyond the vulnerable component. On successful exploitation, an attacker can cause limited impact to confidentiality of the application. SAP Financial Consolidation no codifica suficientemente las entradas controladas por el usuario, lo que genera una vulnerabilidad de Cross-Site Scripting... • https://me.sap.com/notes/3457592 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37177 – Cross-Site Scripting (XSS) vulnerabilities in SAP Financial Consolidation
https://notcve.org/view.php?id=CVE-2024-37177
11 Jun 2024 — SAP Financial Consolidation allows data to enter a Web application through an untrusted source. These endpoints are exposed over the network and it allows the user to modify the content from the web site. On successful exploitation, an attacker can cause significant impact to confidentiality and integrity of the application. SAP Financial Consolidation permite que los datos ingresen a una aplicación web a través de una fuente que no es de confianza. Estos endpoints están expuestos a través de la red y permi... • https://me.sap.com/notes/3457592 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.6EPSS: 0%CPEs: 2EXPL: 0CVE-2024-33004 – Insecure Storage vulnerability in SAP BusinessObjects Business Intelligence Platform (Webservices)
https://notcve.org/view.php?id=CVE-2024-33004
14 May 2024 — SAP Business Objects Business Intelligence Platform is vulnerable to Insecure Storage as dynamic web pages are getting cached even after logging out. On successful exploitation, the attacker can see the sensitive information through cache and can open the pages causing limited impact on Confidentiality, Integrity and Availability of the application. SAP Business Objects Business Intelligence Platform es vulnerable al almacenamiento inseguro, ya que las páginas web dinámicas se almacenan en caché incluso des... • https://me.sap.com/notes/3449093 • CWE-524: Use of Cache Containing Sensitive Information CWE-922: Insecure Storage of Sensitive Information •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-33009 – SQL injection vulnerability in SAP Global Label Management (GLM)
https://notcve.org/view.php?id=CVE-2024-33009
14 May 2024 — SAP Global Label Management is vulnerable to SQL injection. On exploitation the attacker can use specially crafted inputs to modify database commands resulting in the retrieval of additional information persisted by the system. This could lead to low impact on Confidentiality and Integrity of the application. SAP Global Label Management es vulnerable a la inyección SQL. Tras la explotación, el atacante puede utilizar entradas especialmente manipuladas para modificar los comandos de la base de datos, lo que ... • https://me.sap.com/notes/1938764 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •