CVE-2022-27657 – SAP FRUN Simple Diagnostics Agent 1.0 Directory Traversal
https://notcve.org/view.php?id=CVE-2022-27657
A highly privileged remote attacker, can gain unauthorized access to display contents of restricted directories by exploiting insufficient validation of path information in SAP Focused Run (Simple Diagnostics Agent 1.0) - version 1.0. Un atacante remoto con altos privilegios, puede obtener acceso no autorizado para mostrar el contenido de directorios restringidos aprovechando la insuficiente comprobación de la información de la ruta en SAP Focused Run (Simple Diagnostics Agent versión 1.0) - versión 1.0 SAP Focused Run Simple Diagnostics Agent version 1.0 suffers from a directory traversal vulnerability. • http://packetstormsecurity.com/files/167563/SAP-FRUN-Simple-Diagnostics-Agent-1.0-Directory-Traversal.html http://seclists.org/fulldisclosure/2022/Jun/41 https://launchpad.support.sap.com/#/notes/3159091 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2022-24399 – SAP FRUN 2.00 / 3.00 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2022-24399
The SAP Focused Run (Real User Monitoring) - versions 200, 300, REST service does not sufficiently sanitize the input name of the file using multipart/form-data, resulting in Cross-Site Scripting (XSS) vulnerability. El servicio REST de SAP Focused Run (Real User Monitoring) - versiones 200, 300, no sanea suficientemente el nombre de entrada del archivo usando multipart/form-data, resultando en una vulnerabilidad de tipo cross-Site Scripting (XSS) SAP Focused Run versions 2.00 and 3.00 suffer from a cross site scripting vulnerability. • http://packetstormsecurity.com/files/167559/SAP-FRUN-2.00-3.00-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2022/Jun/37 https://dam.sap.com/mac/embed/public/pdf/a/ucQrx6G.htm?rc=10 https://launchpad.support.sap.com/#/notes/3147283 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-27609
https://notcve.org/view.php?id=CVE-2021-27609
SAP Focused RUN versions 200, 300, does not perform necessary authorization checks for an authenticated user, which allows a user to call the oData service and manipulate the activation for the SAP EarlyWatch Alert service data collection and sending to SAP without the intended authorization. SAP Focused RUN versiones 200, 300 no llevan a cabo las comprobaciones de autorización necesarias para un usuario autenticado, el cual permite a un usuario llamar al servicio oData y manipular la activación para la recopilación y envío de datos del servicio SAP EarlyWatch Alert a SAP sin la autorización prevista • https://launchpad.support.sap.com/#/notes/3030948 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=573801649 • CWE-862: Missing Authorization •
CVE-2020-6369
https://notcve.org/view.php?id=CVE-2020-6369
SAP Solution Manager and SAP Focused Run (update provided in WILY_INTRO_ENTERPRISE 9.7, 10.1, 10.5, 10.7), allows an unauthenticated attackers to bypass the authentication if the default passwords for Admin and Guest have not been changed by the administrator.This may impact the confidentiality of the service. SAP Solution Manager y SAP Focused Run (actualización provista en WILY_INTRO_ENTERPRISE versiones 9.7, 10.1, 10.5, 10.7), permite a atacantes no autenticados omitir la autenticación si el administrador no ha cambiado las contraseñas predeterminadas para el usuario Admin e Guest. Esto puede afectar la confidencialidad del servicio • http://packetstormsecurity.com/files/163159/SAP-Wily-Introscope-Enterprise-Default-Hard-Coded-Credentials.html http://seclists.org/fulldisclosure/2021/Jun/31 https://launchpad.support.sap.com/#/notes/2971638 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=558632196 •