CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 0CVE-2023-31403 – Improper Access Control vulnerability in SAP Business One product installation
https://notcve.org/view.php?id=CVE-2023-31403
14 Nov 2023 — SAP Business One installation - version 10.0, does not perform proper authentication and authorization checks for SMB shared folder. As a result, any malicious user can read and write to the SMB shared folder. Additionally, the files in the folder can be executed or be used by the installation process leading to considerable impact on confidentiality, integrity and availability. La instalación de SAP Business One versión 10.0, no realiza comprobaciones de autenticación y autorización adecuadas para la carpe... • https://me.sap.com/notes/3355658 • CWE-284: Improper Access Control CWE-863: Incorrect Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41365 – Information Disclosure vulnerability in SAP Business One (B1i)
https://notcve.org/view.php?id=CVE-2023-41365
10 Oct 2023 — SAP Business One (B1i) - version 10.0, allows an authorized attacker to retrieve the details stack trace of the fault message to conduct the XXE injection, which will lead to information disclosure. After successful exploitation, an attacker can cause limited impact on the confidentiality and no impact to the integrity and availability. SAP Business One (B1i): versión 10.0, permite a un atacante autorizado recuperar el seguimiento de la pila de detalles del mensaje de error para realizar la inyección XXE, l... • https://me.sap.com/notes/3338380 • CWE-209: Generation of Error Message Containing Sensitive Information CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.6EPSS: 0%CPEs: 1EXPL: 0CVE-2023-39437 – Cross-Site Scripting (XSS) vulnerability in SAP Business One
https://notcve.org/view.php?id=CVE-2023-39437
08 Aug 2023 — SAP business One allows - version 10.0, allows an attacker to insert malicious code into the content of a web page or application and gets it delivered to the client, resulting to Cross-site scripting. This could lead to harmful action affecting the Confidentiality, Integrity and Availability of the application. • https://me.sap.com/notes/3358300 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-37487 – Security misconfiguration vulnerability in SAP Business One (Service Layer)
https://notcve.org/view.php?id=CVE-2023-37487
08 Aug 2023 — SAP Business One (Service Layer) - version 10.0, allows an authenticated attacker with deep knowledge perform certain operation to access unintended data over the network which could lead to high impact on confidentiality with no impact on integrity and availability of the application • https://me.sap.com/notes/3333616 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-33993 – SQL Injection vulnerability in SAP Business One B1i Layer
https://notcve.org/view.php?id=CVE-2023-33993
08 Aug 2023 — B1i module of SAP Business One - version 10.0, application allows an authenticated user with deep knowledge to send crafted queries over the network to read or modify the SQL data. On successful exploitation, the attacker can cause high impact on confidentiality, integrity and availability of the application. • https://me.sap.com/notes/3337797 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-35292
https://notcve.org/view.php?id=CVE-2022-35292
13 Sep 2022 — In SAP Business One application when a service is created, the executable path contains spaces and isn’t enclosed within quotes, leading to a vulnerability known as Unquoted Service Path which allows a user to gain SYSTEM privileges. If the service is exploited by adversaries, it can be used to gain privileged permissions on a system or network leading to high impact on Confidentiality, Integrity, and Availability. En la aplicación SAP Business One, cuando es creado un servicio, la ruta ejecutable contiene ... • https://launchpad.support.sap.com/#/notes/3223392 • CWE-428: Unquoted Search Path or Element •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-32249
https://notcve.org/view.php?id=CVE-2022-32249
12 Jul 2022 — Under special integration scenario of SAP Business one and SAP HANA - version 10.0, an attacker can exploit HANA cockpit�s data volume to gain access to highly sensitive information (e.g., high privileged account credentials) En un escenario especial de integración de SAP Business One y SAP HANA - versión 10.0, un atacante puede explotar el volumen de datos del cockpit de HANA para acceder a información altamente confidencial (por ejemplo, credenciales de cuentas con altos privilegios) • https://launchpad.support.sap.com/#/notes/3212997 • CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-35168
https://notcve.org/view.php?id=CVE-2022-35168
12 Jul 2022 — Due to improper input sanitization of XML input in SAP Business One - version 10.0, an attacker can perform a denial-of-service attack rendering the system temporarily inoperative. Debido a un saneo inapropiado de la entrada XML en SAP Business One - versión 10.0, un atacante puede llevar a cabo un ataque de denegación de servicio haciendo que el sistema quede temporalmente inoperativo • https://launchpad.support.sap.com/#/notes/3211203 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-31593
https://notcve.org/view.php?id=CVE-2022-31593
12 Jul 2022 — SAP Business One client - version 10.0 allows an attacker with low privileges, to inject code that can be executed by the application. An attacker could thereby control the behavior of the application. El cliente SAP Business One - versión 10.0, permite a un atacante con bajos privilegios, inyectar código que puede ser ejecutado por la aplicación. Un atacante podría así controlar el comportamiento de la aplicación • https://launchpad.support.sap.com/#/notes/3191012 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-28771
https://notcve.org/view.php?id=CVE-2022-28771
12 Jul 2022 — Due to missing authentication check, SAP Business one License service API - version 10.0 allows an unauthenticated attacker to send malicious http requests over the network. On successful exploitation, an attacker can break the whole application making it inaccessible. Debido a una falta de comprobación de la autenticación, la API del servicio de licencias de SAP Business one - versión 10.0 permite a un atacante no autenticado enviar peticiones http maliciosas a través de la red. Si es explotado con éxito, ... • https://launchpad.support.sap.com/#/notes/3157613 • CWE-306: Missing Authentication for Critical Function •