CVE-2022-24399 – SAP FRUN 2.00 / 3.00 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2022-24399
The SAP Focused Run (Real User Monitoring) - versions 200, 300, REST service does not sufficiently sanitize the input name of the file using multipart/form-data, resulting in Cross-Site Scripting (XSS) vulnerability. El servicio REST de SAP Focused Run (Real User Monitoring) - versiones 200, 300, no sanea suficientemente el nombre de entrada del archivo usando multipart/form-data, resultando en una vulnerabilidad de tipo cross-Site Scripting (XSS) SAP Focused Run versions 2.00 and 3.00 suffer from a cross site scripting vulnerability. • http://packetstormsecurity.com/files/167559/SAP-FRUN-2.00-3.00-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2022/Jun/37 https://dam.sap.com/mac/embed/public/pdf/a/ucQrx6G.htm?rc=10 https://launchpad.support.sap.com/#/notes/3147283 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-27609
https://notcve.org/view.php?id=CVE-2021-27609
SAP Focused RUN versions 200, 300, does not perform necessary authorization checks for an authenticated user, which allows a user to call the oData service and manipulate the activation for the SAP EarlyWatch Alert service data collection and sending to SAP without the intended authorization. SAP Focused RUN versiones 200, 300 no llevan a cabo las comprobaciones de autorización necesarias para un usuario autenticado, el cual permite a un usuario llamar al servicio oData y manipular la activación para la recopilación y envío de datos del servicio SAP EarlyWatch Alert a SAP sin la autorización prevista • https://launchpad.support.sap.com/#/notes/3030948 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=573801649 • CWE-862: Missing Authorization •