CVSS: 3.1EPSS: 0%CPEs: 9EXPL: 0CVE-2025-23191 – Cache Poisoning through header manipulation vulnerability in SAP Fiori for SAP ERP
https://notcve.org/view.php?id=CVE-2025-23191
11 Feb 2025 — Cached values belonging to the SAP OData endpoint in SAP Fiori for SAP ERP could be poisoned by modifying the Host header value in an HTTP GET request. An attacker could alter the `atom:link` values in the returned metadata redirecting them from the SAP server to a malicious link set by the attacker. Successful exploitation could cause low impact on integrity of the application. • https://me.sap.com/notes/3426825 • CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-22133 – Improper Access Control in SAP Fiori Front End Server
https://notcve.org/view.php?id=CVE-2024-22133
12 Mar 2024 — SAP Fiori Front End Server - version 605, allows altering of approver details on the read-only field when sending leave request information. This could lead to creation of request with incorrect approver causing low impact on Confidentiality and Integrity with no impact on Availability of the application. SAP Fiori Front End Server: versión 605, permite modificar los detalles del aprobador en el campo de solo lectura al enviar información de solicitud de licencia. Esto podría dar lugar a la creación de una ... • https://me.sap.com/notes/3417399 • CWE-863: Incorrect Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25643 – Missing authorization check in SAP Fiori app (My Overtime Requests)
https://notcve.org/view.php?id=CVE-2024-25643
13 Feb 2024 — The SAP Fiori app (My Overtime Request) - version 605, does not perform the necessary authorization checks for an authenticated user which may result in an escalation of privileges. It is possible to manipulate the URLs of data requests to access information that the user should not have access to. There is no impact on integrity and availability. La aplicación SAP Fiori (Mi solicitud de horas extras), versión 605, no realiza las comprobaciones de autorización necesarias para un usuario autenticado, lo que ... • https://me.sap.com/notes/3237638 • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 9EXPL: 0CVE-2023-49584 – Client-Side Desynchronization vulnerability in SAP Fiori Launchpad
https://notcve.org/view.php?id=CVE-2023-49584
12 Dec 2023 — SAP Fiori launchpad - versions SAP_UI 750, SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, UI_700 200, SAP_BASIS 793, allows an attacker to use HTTP verb POST on read-only service causing low impact on Confidentiality of the application. Plataforma de lanzamiento de SAP Fiori: versiones SAP_UI 750, SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, UI_700 200, SAP_BASIS 793, permite a un atacante utilizar el verbo HTTP POST en un servicio de solo lectura, lo que provoca un bajo impacto ... • https://me.sap.com/notes/3406786 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-1903 – Missing Authorization check in SAP HCM Fiori App My Forms (Fiori 2.0)
https://notcve.org/view.php?id=CVE-2023-1903
11 Apr 2023 — SAP HCM Fiori App My Forms (Fiori 2.0) - version 605, does not perform necessary authorization checks for an authenticated user exposing the restricted header data. • https://launchpad.support.sap.com/#/notes/3301457 • CWE-862: Missing Authorization •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-24528
https://notcve.org/view.php?id=CVE-2023-24528
14 Feb 2023 — SAP Fiori apps for Travel Management in SAP ERP (My Travel Requests) - version 600, allows an authenticated attacker to exploit a certain misconfigured application endpoint to view sensitive data. This endpoint is normally exposed over the network and successful exploitation can lead to exposure of data like travel documents. • https://launchpad.support.sap.com/#/notes/3290901 • CWE-862: Missing Authorization •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 3CVE-2022-26101 – SAP Fiori Launchpad Cross Site Scripting
https://notcve.org/view.php?id=CVE-2022-26101
08 Mar 2022 — Fiori launchpad - versions 754, 755, 756, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. Fiori launchpad - versiones 754, 755, 756, no codifica suficientemente las entradas controladas por el usuario, resultando en una vulnerabilidad de tipo cross-Site Scripting (XSS) The SAP Fiori launchpad suffers from a cross site scripting vulnerability. Various component versions are affected. • https://packetstorm.news/files/id/167561 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.6EPSS: 0%CPEs: 1EXPL: 1CVE-2021-33699
https://notcve.org/view.php?id=CVE-2021-33699
10 Aug 2021 — Task Hijacking is a vulnerability that affects the applications running on Android devices due to a misconfiguration in their AndroidManifest.xml with their Task Control features. This allows an unauthorized attacker or malware to takeover legitimate apps and to steal user's sensitive information. Task Hijacking, es una vulnerabilidad que afecta a las aplicaciones que se ejecutan en dispositivos Android debido a una mala configuración en el archivo AndroidManifest.xml con sus funciones de Task Control. Esto... • https://github.com/naroSEC/CVE-2021-33699_Task_Hijacking •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-27605
https://notcve.org/view.php?id=CVE-2021-27605
13 Apr 2021 — SAP's HCM Travel Management Fiori Apps V2, version - 608, does not perform proper authorization check, allowing an authenticated but unauthorized attacker to read personnel numbers of employees, resulting in escalation of privileges. However, the attacker can only read some information like last name, first name of the employees, so there is some loss of confidential information, Integrity and Availability are not impacted. HCM Travel Management Fiori Apps V2 de SAP, versión - 608, no lleva a cabo una compr... • https://launchpad.support.sap.com/#/notes/3025054 • CWE-862: Missing Authorization •
CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 0CVE-2020-26825
https://notcve.org/view.php?id=CVE-2020-26825
13 Nov 2020 — SAP Fiori Launchpad (News tile Application), versions - 750,751,752,753,754,755, allows an unauthorized attacker to use SAP Fiori Launchpad News tile Application to send malicious code, to a different end user (victim), because News tile does not sufficiently encode user controlled inputs, resulting in Reflected Cross-Site Scripting (XSS) vulnerability. Information maintained in the victim's web browser can be read, modified, and sent to the attacker. The malicious code cannot significantly impact the victi... • https://launchpad.support.sap.com/#/notes/2984627 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •