CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 0CVE-2019-0388
https://notcve.org/view.php?id=CVE-2019-0388
SAP UI5 HTTP Handler (corrected in SAP_UI versions 7.5, 7.51, 7.52, 7.53, 7.54 and SAP UI_700 version 2.0) allows an attacker to manipulate content due to insufficient URL validation. El controlador HTTP de SAP UI5 (corregido en SAP_UI versiones 7.5, 7.51, 7.52, 7.53, 7.54 y SAP UI_700 versión 2.0), permite a un atacante manipular el contenido debido a una comprobación de URL insuficiente. • https://launchpad.support.sap.com/#/notes/2843016 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=528880390 • CWE-290: Authentication Bypass by Spoofing •
CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 0CVE-2018-2434
https://notcve.org/view.php?id=CVE-2018-2434
A content spoofing vulnerability in the following components allows to render html pages containing arbitrary plain text content, which might fool an end user: UI add-on for SAP NetWeaver (UI_Infra, 1.0), SAP UI Implementation for Decoupled Innovations (UI_700, 2.0): SAP NetWeaver 7.00 Implementation, SAP User Interface Technology (SAP_UI 7.4, 7.5, 7.51, 7.52). There is little impact as it is not possible to embed active contents such as JavaScript or hyperlinks. Una vulnerabilidad de suplantación de contenido en los siguentes componentes permite renderizar páginas HTML que contienen texto plano arbitrario, lo que podría engañar a un usuario final: UI add-on para SAP NetWeaver (UI_Infra, 1.0), SAP UI Implementation para Decoupled Innovations (UI_700, 2.0): SAP NetWeaver 7.00 Implementation, SAP User Interface Technology (SAP_UI 7.4, 7.5, 7.51 y 7.52). No supone mucho impacto, ya que no es posible embeber contenido activo como JavaScript o hipervínculos. • http://www.securityfocus.com/bid/105088 https://launchpad.support.sap.com/#/notes/2633180 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=497256000 • CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 9.8EPSS: 0%CPEs: 12EXPL: 0CVE-2018-2424
https://notcve.org/view.php?id=CVE-2018-2424
SAP UI5 did not validate user input before adding it to the DOM structure. This may lead to malicious user-provided JavaScript code being added to the DOM that could steal user information. Software components affected are: SAP Hana Database 1.00, 2.00; SAP UI5 1.00; SAP UI5 (Java) 7.30, 7.31, 7.40, 7,50; SAP UI 7.40, 7.50, 7.51, 7.52, and version 2.0 of SAP UI for SAP NetWeaver 7.00 SAP UI5 no validó las entradas de usuario antes de añadirlas a la estructura DOM. Esto podría conducir a que se añada al DOM código JavaScript malicioso proporcionado por el usuario que podría robar información del usuario. Los componentes de software afectados son: SAP Hana Database 1.00, 2.00; SAP UI5 1.00; SAP UI5 (Java) 7.30, 7.31, 7.40, 7,50; SAP UI 7.40, 7.50, 7.51, 7.52 y la versión 2.0 de SAP UI para SAP NetWeaver 7.00 • http://www.securityfocus.com/bid/104459 https://launchpad.support.sap.com/#/notes/2538856 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=495289255 • CWE-20: Improper Input Validation •
CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 0CVE-2018-2428
https://notcve.org/view.php?id=CVE-2018-2428
Under certain conditions SAP UI5 Handler allows an attacker to access information which would otherwise be restricted. Software components affected are: SAP Infrastructure 1.0, SAP UI 7.4, 7.5, 7.51, 7.52 and version 2.0 of SAP UI for SAP NetWeaver 7.00. En ciertas condiciones, SAP UI5 Handler permite que un atacante acceda a información que normalmente estaría restringida. Los componentes de software afectados son: SAP Infrastructure 1.0, SAP UI 7.4, 7.5, 7.51, 7.52 y la versión 2.0 de SAP UI para SAP NetWeaver 7.00. • http://www.securityfocus.com/bid/104446 https://launchpad.support.sap.com/#/notes/2621121 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=495289255 •