CVE-2022-26104
https://notcve.org/view.php?id=CVE-2022-26104
SAP Financial Consolidation - version 10.1, does not perform necessary authorization checks for updating homepage messages, resulting for an unauthorized user to alter the maintenance system message. SAP Financial Consolidation - versión 10.1, no lleva a cabo las comprobaciones de autorización necesarias para actualizar los mensajes de la página de inicio, resultando en que un usuario no autorizado pueda alterar el mensaje del sistema de mantenimiento • https://dam.sap.com/mac/embed/public/pdf/a/ucQrx6G.htm?rc=10 https://launchpad.support.sap.com/#/notes/3144941 • CWE-862: Missing Authorization •
CVE-2019-0370
https://notcve.org/view.php?id=CVE-2019-0370
Due to missing input validation, SAP Financial Consolidation, before versions 10.0 and 10.1, enables an attacker to use crafted input to interfere with the structure of the surrounding query leading to XPath Injection. Debido a la falta de comprobación de entrada, SAP Financial Consolidation, versiones anteriores a 10.0 y 10.1, permite a un atacante usar entradas diseñadas para interferir con la estructura de la consulta surrounding conllevando a la inyección de XPath. • https://launchpad.support.sap.com/#/notes/2806403 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=528123050 • CWE-91: XML Injection (aka Blind XPath Injection) •
CVE-2019-0369
https://notcve.org/view.php?id=CVE-2019-0369
SAP Financial Consolidation, before versions 10.0 and 10.1, does not sufficiently encode user-controlled inputs, which allows an attacker to execute scripts by uploading files containing malicious scripts, leading to reflected cross site scripting vulnerability. SAP Financial Consolidation, versiones anteriores a 10.0 y 10.1, no codifica suficientemente las entradas controladas por el usuario, lo que permite a un atacante ejecutar scripts al cargar archivos que contienen scripts maliciosos, conllevando a una vulnerabilidad de tipo cross site scripting. • https://launchpad.support.sap.com/#/notes/2806403 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=528123050 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-2499
https://notcve.org/view.php?id=CVE-2018-2499
A security weakness in SAP Financial Consolidation Cube Designer (BOBJ_EADES fixed in versions 8.0, 10.1) may allow an attacker to discover the password hash of an admin user. Una debilidad de seguridad en SAP Financial Consolidation Cube Designer (BOBJ_EADES solucionado en las versiones 8.0 y 10.1) podría permitir a un atacante descubrir el hash de contraseña de un usuario de administrador. • http://www.securityfocus.com/bid/106466 https://launchpad.support.sap.com/#/notes/2699233 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985 •
CVE-2018-2444
https://notcve.org/view.php?id=CVE-2018-2444
SAP BusinessObjects Financial Consolidation, versions 10.0, 10.1, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. SAP BusinessObjects Financial Consolidation 10.0 y 10.1 no cifra lo suficiente las entradas controladas por el usuario, lo que resulta en una vulnerabilidad de Cross-Site Scripting (XSS). • http://www.securityfocus.com/bid/105087 https://launchpad.support.sap.com/#/notes/2621395 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=499352742 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •