CVE-2019-0338
https://notcve.org/view.php?id=CVE-2019-0338
During an OData V2/V4 request in SAP Gateway, versions 750, 751, 752, 753, the HTTP Header attributes cache-control and pragma were not properly set, allowing an attacker to access restricted information, resulting in Information Disclosure. Durante una petición V2/V4 OData en SAP Gateway, versiones 750, 751, 752, 753, los atributos de Encabezado HTTP controlados por caché y pragma no se ajustaron correctamente, lo que permite a un atacante acceder a información restringida, resultando en la Divulgación de Información. • https://launchpad.support.sap.com/#/notes/2793351 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523998017 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2019-0319
https://notcve.org/view.php?id=CVE-2019-0319
The SAP Gateway, versions 7.5, 7.51, 7.52 and 7.53, allows an attacker to inject content which is displayed in the form of an error message. An attacker could thus mislead a user to believe this information is from the legitimate service when it's not. SAP Gateway, versiones 7.5, 7.51, 7.52 y 7.53, permite a un atacante inyectar contenido que es desplegado en forma de mensaje de error. Por lo tanto, un atacante podría engañar a un usuario para que crea que esta información es de servicio legítimo cuando no lo es. • http://packetstormsecurity.com/files/153661/SAPUI5-1.0.0-SAP-Gateway-7.5-7.51-7.52-7.53-Content-Spoofing.html http://www.securityfocus.com/bid/109074 https://cxsecurity.com/ascii/WLB-2019050283 https://drive.google.com/open?id=1aGFqggvydehSK7MFIsfKW7tO60yiF55f https://launchpad.support.sap.com/#/notes/2752614 https://launchpad.support.sap.com/#/notes/2911267 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523994575 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •