CVSS: 4.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-22133 – Improper Access Control in SAP Fiori Front End Server
https://notcve.org/view.php?id=CVE-2024-22133
SAP Fiori Front End Server - version 605, allows altering of approver details on the read-only field when sending leave request information. This could lead to creation of request with incorrect approver causing low impact on Confidentiality and Integrity with no impact on Availability of the application. SAP Fiori Front End Server: versión 605, permite modificar los detalles del aprobador en el campo de solo lectura al enviar información de solicitud de licencia. Esto podría dar lugar a la creación de una solicitud con un aprobador incorrecto, lo que provocaría un bajo impacto en la confidencialidad y la integridad, sin ningún impacto en la disponibilidad de la aplicación. • https://me.sap.com/notes/3417399 https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html?anchorId=section_370125364 • CWE-863: Incorrect Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25643 – Missing authorization check in SAP Fiori app (My Overtime Requests)
https://notcve.org/view.php?id=CVE-2024-25643
The SAP Fiori app (My Overtime Request) - version 605, does not perform the necessary authorization checks for an authenticated user which may result in an escalation of privileges. It is possible to manipulate the URLs of data requests to access information that the user should not have access to. There is no impact on integrity and availability. La aplicación SAP Fiori (Mi solicitud de horas extras), versión 605, no realiza las comprobaciones de autorización necesarias para un usuario autenticado, lo que puede dar lugar a una escalada de privilegios. Es posible manipular las URL de solicitudes de datos para acceder a información a la que el usuario no debería tener acceso. • https://me.sap.com/notes/3237638 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 9EXPL: 0CVE-2023-49584 – Client-Side Desynchronization vulnerability in SAP Fiori Launchpad
https://notcve.org/view.php?id=CVE-2023-49584
SAP Fiori launchpad - versions SAP_UI 750, SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, UI_700 200, SAP_BASIS 793, allows an attacker to use HTTP verb POST on read-only service causing low impact on Confidentiality of the application. Plataforma de lanzamiento de SAP Fiori: versiones SAP_UI 750, SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, UI_700 200, SAP_BASIS 793, permite a un atacante utilizar el verbo HTTP POST en un servicio de solo lectura, lo que provoca un bajo impacto en la confidencialidad de la aplicación. • https://me.sap.com/notes/3406786 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-1903 – Missing Authorization check in SAP HCM Fiori App My Forms (Fiori 2.0)
https://notcve.org/view.php?id=CVE-2023-1903
SAP HCM Fiori App My Forms (Fiori 2.0) - version 605, does not perform necessary authorization checks for an authenticated user exposing the restricted header data. • https://launchpad.support.sap.com/#/notes/3301457 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-24528
https://notcve.org/view.php?id=CVE-2023-24528
SAP Fiori apps for Travel Management in SAP ERP (My Travel Requests) - version 600, allows an authenticated attacker to exploit a certain misconfigured application endpoint to view sensitive data. This endpoint is normally exposed over the network and successful exploitation can lead to exposure of data like travel documents. • https://launchpad.support.sap.com/#/notes/3290901 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-862: Missing Authorization •