CVSS: 5.5EPSS: 0%CPEs: 12EXPL: 0CVE-2024-37176 – Missing Authorization check in SAP BW/4HANA Transformation and DTP
https://notcve.org/view.php?id=CVE-2024-37176
11 Jun 2024 — SAP BW/4HANA Transformation and Data Transfer Process (DTP) allows an authenticated attacker to gain higher access levels than they should have by exploiting improper authorization checks. This results in escalation of privileges. It has no impact on the confidentiality of data but may have low impacts on the integrity and availability of the application. El proceso de transformación y transferencia de datos (DTP) de SAP BW/4HANA permite que un atacante autenticado obtenga niveles de acceso más altos de los... • https://me.sap.com/notes/3465455 • CWE-862: Missing Authorization •
CVSS: 6.4EPSS: 0%CPEs: 14EXPL: 0CVE-2024-34686 – Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI)
https://notcve.org/view.php?id=CVE-2024-34686
11 Jun 2024 — Due to insufficient input validation, SAP CRM WebClient UI allows an unauthenticated attacker to craft a URL link which embeds a malicious script. When a victim clicks on this link, the script will be executed in the victim's browser giving the attacker the ability to access and/or modify information with no effect on availability of the application. Debido a una validación de entrada insuficiente, la interfaz de usuario de SAP CRM WebClient permite que un atacante no autenticado cree un enlace URL que inco... • https://me.sap.com/notes/3465129 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 11EXPL: 0CVE-2024-34683 – Unrestricted file upload in SAP Document Builder (HTTP service)
https://notcve.org/view.php?id=CVE-2024-34683
11 Jun 2024 — An authenticated attacker can upload malicious file to SAP Document Builder service. When the victim accesses this file, the attacker is allowed to access, modify, or make the related information unavailable in the victim’s browser. Un atacante autenticado puede cargar un archivo malicioso en el servicio SAP Document Builder. Cuando la víctima accede a este archivo, el atacante puede acceder, modificar o hacer que la información relacionada no esté disponible en el navegador de la víctima. An authenticated ... • https://me.sap.com/notes/3459379 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-33001 – Denial of service (DOS) in SAP NetWeaver and ABAP platform
https://notcve.org/view.php?id=CVE-2024-33001
11 Jun 2024 — SAP NetWeaver and ABAP platform allows an attacker to impede performance for legitimate users by crashing or flooding the service. An impact of this Denial of Service vulnerability might be long response delays and service interruptions, thus degrading the service quality experienced by legitimate users causing high impact on availability of the application. La plataforma SAP NetWeaver y ABAP permite a un atacante impedir el rendimiento de usuarios legítimos bloqueando o inundando el servicio. Un impacto de... • https://me.sap.com/notes/3453170 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-34688 – Denial of service (DOS) in SAP NetWeaver AS Java (Meta Model Repository)
https://notcve.org/view.php?id=CVE-2024-34688
11 Jun 2024 — Due to unrestricted access to the Meta Model Repository services in SAP NetWeaver AS Java, attackers can perform DoS attacks on the application, which may prevent legitimate users from accessing it. This can result in no impact on confidentiality and integrity but a high impact on the availability of the application. Debido al acceso sin restricciones a los servicios del Meta Model Repository en SAP NetWeaver AS Java, los atacantes pueden realizar ataques DoS en la aplicación, lo que puede impedir que los u... • https://me.sap.com/notes/3460407 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37178 – Cross-Site Scripting (XSS) vulnerabilities in SAP Financial Consolidation
https://notcve.org/view.php?id=CVE-2024-37178
11 Jun 2024 — SAP Financial Consolidation does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. These endpoints are exposed over the network. The vulnerability can exploit resources beyond the vulnerable component. On successful exploitation, an attacker can cause limited impact to confidentiality of the application. SAP Financial Consolidation no codifica suficientemente las entradas controladas por el usuario, lo que genera una vulnerabilidad de Cross-Site Scripting... • https://me.sap.com/notes/3457592 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37177 – Cross-Site Scripting (XSS) vulnerabilities in SAP Financial Consolidation
https://notcve.org/view.php?id=CVE-2024-37177
11 Jun 2024 — SAP Financial Consolidation allows data to enter a Web application through an untrusted source. These endpoints are exposed over the network and it allows the user to modify the content from the web site. On successful exploitation, an attacker can cause significant impact to confidentiality and integrity of the application. SAP Financial Consolidation permite que los datos ingresen a una aplicación web a través de una fuente que no es de confianza. Estos endpoints están expuestos a través de la red y permi... • https://me.sap.com/notes/3457592 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-33006 – File upload vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform
https://notcve.org/view.php?id=CVE-2024-33006
14 May 2024 — An unauthenticated attacker can upload a malicious file to the server which when accessed by a victim can allow an attacker to completely compromise system. Un atacante no autenticado puede cargar un archivo malicioso en el servidor al que, cuando una víctima accede, puede permitir que un atacante comprometa completamente el sistema. • https://me.sap.com/notes/3448171 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 4.6EPSS: 0%CPEs: 2EXPL: 0CVE-2024-33004 – Insecure Storage vulnerability in SAP BusinessObjects Business Intelligence Platform (Webservices)
https://notcve.org/view.php?id=CVE-2024-33004
14 May 2024 — SAP Business Objects Business Intelligence Platform is vulnerable to Insecure Storage as dynamic web pages are getting cached even after logging out. On successful exploitation, the attacker can see the sensitive information through cache and can open the pages causing limited impact on Confidentiality, Integrity and Availability of the application. SAP Business Objects Business Intelligence Platform es vulnerable al almacenamiento inseguro, ya que las páginas web dinámicas se almacenan en caché incluso des... • https://me.sap.com/notes/3449093 • CWE-524: Use of Cache Containing Sensitive Information CWE-922: Insecure Storage of Sensitive Information •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-33009 – SQL injection vulnerability in SAP Global Label Management (GLM)
https://notcve.org/view.php?id=CVE-2024-33009
14 May 2024 — SAP Global Label Management is vulnerable to SQL injection. On exploitation the attacker can use specially crafted inputs to modify database commands resulting in the retrieval of additional information persisted by the system. This could lead to low impact on Confidentiality and Integrity of the application. SAP Global Label Management es vulnerable a la inyección SQL. Tras la explotación, el atacante puede utilizar entradas especialmente manipuladas para modificar los comandos de la base de datos, lo que ... • https://me.sap.com/notes/1938764 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •