CVSS: 6.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45283 – Information disclosure vulnerability in SAP NetWeaver AS for Java (Destination Service)
https://notcve.org/view.php?id=CVE-2024-45283
SAP NetWeaver AS for Java allows an authorized attacker to obtain sensitive information. The attacker could obtain the username and password when creating an RFC destination. After successful exploitation, an attacker can read the sensitive information but cannot modify or delete the data. • https://me.sap.com/notes/3477359 https://url.sap/sapsecuritypatchday • CWE-256: Plaintext Storage of a Password •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45280 – Cross-Site Scripting (XSS) Vulnerability in SAP NetWeaver AS Java (Logon Application)
https://notcve.org/view.php?id=CVE-2024-45280
Due to insufficient encoding of user-controlled inputs, SAP NetWeaver AS Java allows malicious scripts to be executed in the login application. This has a limited impact on confidentiality and integrity of the application. There is no impact on availability. • https://me.sap.com/notes/3505503 https://url.sap/sapsecuritypatchday • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-44120 – Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal
https://notcve.org/view.php?id=CVE-2024-44120
SAP NetWeaver Enterprise Portal is vulnerable to reflected cross site scripting due to insufficient encoding of user-controlled input. An unauthenticated attacker could craft a malicious URL and trick a user to click it. If the victim clicks on this crafted URL before it times out, then the attacker could read and manipulate user content in the browser. • https://me.sap.com/notes/3498221 https://url.sap/sapsecuritypatchday • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-27899 – Security misconfiguration vulnerability in SAP NetWeaver AS Java User Management Engine
https://notcve.org/view.php?id=CVE-2024-27899
Self-Registration and Modify your own profile in User Admin Application of NetWeaver AS Java does not enforce proper security requirements for the content of the newly defined security answer. This can be leveraged by an attacker to cause profound impact on confidentiality and low impact on both integrity and availability. Self-Registration and Modify your own profile en User Admin Application de NetWeaver AS Java no exige requisitos de seguridad adecuados para el contenido de la respuesta de seguridad recién definida. Un atacante puede aprovechar esto para causar un profundo impacto en la confidencialidad y un bajo impacto tanto en la integridad como en la disponibilidad. • https://me.sap.com/notes/3434839 https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html?anchorId=section_370125364 • CWE-640: Weak Password Recovery Mechanism for Forgotten Password •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27898 – Server-Side Request Forgery in SAP NetWeaver
https://notcve.org/view.php?id=CVE-2024-27898
SAP NetWeaver application, due to insufficient input validation, allows an attacker to send a crafted request from a vulnerable web application targeting internal systems behind firewalls that are normally inaccessible to an attacker from the external network, resulting in a Server-Side Request Forgery vulnerability. Thus, having a low impact on confidentiality. La aplicación SAP NetWeaver, debido a una validación de entrada insuficiente, permite a un atacante enviar una solicitud manipulada desde una aplicación web vulnerable dirigida a sistemas internos detrás de firewalls que normalmente son inaccesibles para un atacante desde la red externa, lo que resulta en una vulnerabilidad Server-Side Request Forgery. Teniendo así un bajo impacto en la confidencialidad. • https://me.sap.com/notes/3425188 https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html?anchorId=section_370125364 • CWE-918: Server-Side Request Forgery (SSRF) •