All the vulnerabilites related to sap - focused_run
cve-2022-27657
Vulnerability from cvelistv5
Published
2022-04-12 16:11
Modified
2024-08-03 05:32
Severity ?
EPSS score ?
Summary
A highly privileged remote attacker, can gain unauthorized access to display contents of restricted directories by exploiting insufficient validation of path information in SAP Focused Run (Simple Diagnostics Agent 1.0) - version 1.0.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | x_refsource_MISC | |
| https://launchpad.support.sap.com/#/notes/3159091 | x_refsource_MISC | |
| http://seclists.org/fulldisclosure/2022/Jun/41 | mailing-list, x_refsource_FULLDISC | |
| http://packetstormsecurity.com/files/167563/SAP-FRUN-Simple-Diagnostics-Agent-1.0-Directory-Traversal.html | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | SAP SE | SAP Focused Run (Simple Diagnostics Agent) |
Version: 1.0 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:32:59.992Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/3159091"
},
{
"name": "20220621 Onapsis Security Advisory 2022-0007: Directory Traversal vulnerability in SAP Focused Run (Simple Diagnostics Agent 1.0)",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2022/Jun/41"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/167563/SAP-FRUN-Simple-Diagnostics-Agent-1.0-Directory-Traversal.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP Focused Run (Simple Diagnostics Agent)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A highly privileged remote attacker, can gain unauthorized access to display contents of restricted directories by exploiting insufficient validation of path information in SAP Focused Run (Simple Diagnostics Agent 1.0) - version 1.0."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-21T21:06:17",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.support.sap.com/#/notes/3159091"
},
{
"name": "20220621 Onapsis Security Advisory 2022-0007: Directory Traversal vulnerability in SAP Focused Run (Simple Diagnostics Agent 1.0)",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2022/Jun/41"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/167563/SAP-FRUN-Simple-Diagnostics-Agent-1.0-Directory-Traversal.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2022-27657",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP Focused Run (Simple Diagnostics Agent)",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "1.0"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A highly privileged remote attacker, can gain unauthorized access to display contents of restricted directories by exploiting insufficient validation of path information in SAP Focused Run (Simple Diagnostics Agent 1.0) - version 1.0."
}
]
},
"impact": {
"cvss": {
"baseScore": "null",
"vectorString": "null",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html",
"refsource": "MISC",
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
},
{
"name": "https://launchpad.support.sap.com/#/notes/3159091",
"refsource": "MISC",
"url": "https://launchpad.support.sap.com/#/notes/3159091"
},
{
"name": "20220621 Onapsis Security Advisory 2022-0007: Directory Traversal vulnerability in SAP Focused Run (Simple Diagnostics Agent 1.0)",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2022/Jun/41"
},
{
"name": "http://packetstormsecurity.com/files/167563/SAP-FRUN-Simple-Diagnostics-Agent-1.0-Directory-Traversal.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/167563/SAP-FRUN-Simple-Diagnostics-Agent-1.0-Directory-Traversal.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2022-27657",
"datePublished": "2022-04-12T16:11:29",
"dateReserved": "2022-03-22T00:00:00",
"dateUpdated": "2024-08-03T05:32:59.992Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-24399
Vulnerability from cvelistv5
Published
2022-03-08 13:36
Modified
2024-08-03 04:07
Severity ?
EPSS score ?
Summary
The SAP Focused Run (Real User Monitoring) - versions 200, 300, REST service does not sufficiently sanitize the input name of the file using multipart/form-data, resulting in Cross-Site Scripting (XSS) vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://dam.sap.com/mac/embed/public/pdf/a/ucQrx6G.htm?rc=10 | x_refsource_MISC | |
| https://launchpad.support.sap.com/#/notes/3147283 | x_refsource_MISC | |
| http://seclists.org/fulldisclosure/2022/Jun/37 | mailing-list, x_refsource_FULLDISC | |
| http://packetstormsecurity.com/files/167559/SAP-FRUN-2.00-3.00-Cross-Site-Scripting.html | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | SAP SE | SAP Focused Run (Real User Monitoring) |
Version: < 200 Version: < 300 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:07:02.521Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://dam.sap.com/mac/embed/public/pdf/a/ucQrx6G.htm?rc=10"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/3147283"
},
{
"name": "20220621 Onapsis Security Advisory 2022-0003: Cross-Site Scripting (XSS) vulnerability in SAP Focused Run (Real User Monitoring)",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2022/Jun/37"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/167559/SAP-FRUN-2.00-3.00-Cross-Site-Scripting.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP Focused Run (Real User Monitoring)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 200"
},
{
"status": "affected",
"version": "\u003c 300"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The SAP Focused Run (Real User Monitoring) - versions 200, 300, REST service does not sufficiently sanitize the input name of the file using multipart/form-data, resulting in Cross-Site Scripting (XSS) vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-21T21:06:15",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://dam.sap.com/mac/embed/public/pdf/a/ucQrx6G.htm?rc=10"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.support.sap.com/#/notes/3147283"
},
{
"name": "20220621 Onapsis Security Advisory 2022-0003: Cross-Site Scripting (XSS) vulnerability in SAP Focused Run (Real User Monitoring)",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2022/Jun/37"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/167559/SAP-FRUN-2.00-3.00-Cross-Site-Scripting.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2022-24399",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP Focused Run (Real User Monitoring)",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "200"
},
{
"version_name": "\u003c",
"version_value": "300"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The SAP Focused Run (Real User Monitoring) - versions 200, 300, REST service does not sufficiently sanitize the input name of the file using multipart/form-data, resulting in Cross-Site Scripting (XSS) vulnerability."
}
]
},
"impact": {
"cvss": {
"baseScore": "null",
"vectorString": "null",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://dam.sap.com/mac/embed/public/pdf/a/ucQrx6G.htm?rc=10",
"refsource": "MISC",
"url": "https://dam.sap.com/mac/embed/public/pdf/a/ucQrx6G.htm?rc=10"
},
{
"name": "https://launchpad.support.sap.com/#/notes/3147283",
"refsource": "MISC",
"url": "https://launchpad.support.sap.com/#/notes/3147283"
},
{
"name": "20220621 Onapsis Security Advisory 2022-0003: Cross-Site Scripting (XSS) vulnerability in SAP Focused Run (Real User Monitoring)",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2022/Jun/37"
},
{
"name": "http://packetstormsecurity.com/files/167559/SAP-FRUN-2.00-3.00-Cross-Site-Scripting.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/167559/SAP-FRUN-2.00-3.00-Cross-Site-Scripting.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2022-24399",
"datePublished": "2022-03-08T13:36:07",
"dateReserved": "2022-02-03T00:00:00",
"dateUpdated": "2024-08-03T04:07:02.521Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-27609
Vulnerability from cvelistv5
Published
2021-04-13 18:45
Modified
2024-08-03 21:26
Severity ?
EPSS score ?
Summary
SAP Focused RUN versions 200, 300, does not perform necessary authorization checks for an authenticated user, which allows a user to call the oData service and manipulate the activation for the SAP EarlyWatch Alert service data collection and sending to SAP without the intended authorization.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=573801649 | x_refsource_MISC | |
| https://launchpad.support.sap.com/#/notes/3030948 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | SAP SE | SAP Focused RUN |
Version: < 200 Version: < 300 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:26:10.134Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=573801649"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/3030948"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP Focused RUN",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 200"
},
{
"status": "affected",
"version": "\u003c 300"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SAP Focused RUN versions 200, 300, does not perform necessary authorization checks for an authenticated user, which allows a user to call the oData service and manipulate the activation for the SAP EarlyWatch Alert service data collection and sending to SAP without the intended authorization."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Missing Authorization Check",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-13T18:45:06",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=573801649"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.support.sap.com/#/notes/3030948"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2021-27609",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP Focused RUN",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "200"
},
{
"version_name": "\u003c",
"version_value": "300"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SAP Focused RUN versions 200, 300, does not perform necessary authorization checks for an authenticated user, which allows a user to call the oData service and manipulate the activation for the SAP EarlyWatch Alert service data collection and sending to SAP without the intended authorization."
}
]
},
"impact": {
"cvss": {
"baseScore": "4.6",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Missing Authorization Check"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=573801649",
"refsource": "MISC",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=573801649"
},
{
"name": "https://launchpad.support.sap.com/#/notes/3030948",
"refsource": "MISC",
"url": "https://launchpad.support.sap.com/#/notes/3030948"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2021-27609",
"datePublished": "2021-04-13T18:45:06",
"dateReserved": "2021-02-23T00:00:00",
"dateUpdated": "2024-08-03T21:26:10.134Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-6369
Vulnerability from cvelistv5
Published
2020-10-20 13:30
Modified
2024-08-04 09:02
Severity ?
EPSS score ?
Summary
SAP Solution Manager and SAP Focused Run (update provided in WILY_INTRO_ENTERPRISE 9.7, 10.1, 10.5, 10.7), allows an unauthenticated attackers to bypass the authentication if the default passwords for Admin and Guest have not been changed by the administrator.This may impact the confidentiality of the service.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=558632196 | x_refsource_MISC | |
| https://launchpad.support.sap.com/#/notes/2971638 | x_refsource_MISC | |
| http://seclists.org/fulldisclosure/2021/Jun/31 | mailing-list, x_refsource_FULLDISC | |
| http://packetstormsecurity.com/files/163159/SAP-Wily-Introscope-Enterprise-Default-Hard-Coded-Credentials.html | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | SAP SE | CA Introscope Enterprise Manager (Affected products: SAP Solution Manager and SAP Focused Run) |
Version: < 9.7 Version: < 10.1 Version: < 10.5 Version: < 10.7 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:02:39.880Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=558632196"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/2971638"
},
{
"name": "20210614 Onapsis Security Advisory 2021-0009: Hard-coded Credentials in CA Introscope Enterprise Manager",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2021/Jun/31"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/163159/SAP-Wily-Introscope-Enterprise-Default-Hard-Coded-Credentials.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "CA Introscope Enterprise Manager (Affected products: SAP Solution Manager and SAP Focused Run)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 9.7"
},
{
"status": "affected",
"version": "\u003c 10.1"
},
{
"status": "affected",
"version": "\u003c 10.5"
},
{
"status": "affected",
"version": "\u003c 10.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SAP Solution Manager and SAP Focused Run (update provided in WILY_INTRO_ENTERPRISE 9.7, 10.1, 10.5, 10.7), allows an unauthenticated attackers to bypass the authentication if the default passwords for Admin and Guest have not been changed by the administrator.This may impact the confidentiality of the service."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Hard Coded Credentials",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-15T20:06:24",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=558632196"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.support.sap.com/#/notes/2971638"
},
{
"name": "20210614 Onapsis Security Advisory 2021-0009: Hard-coded Credentials in CA Introscope Enterprise Manager",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2021/Jun/31"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/163159/SAP-Wily-Introscope-Enterprise-Default-Hard-Coded-Credentials.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2020-6369",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "CA Introscope Enterprise Manager (Affected products: SAP Solution Manager and SAP Focused Run)",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "9.7"
},
{
"version_name": "\u003c",
"version_value": "10.1"
},
{
"version_name": "\u003c",
"version_value": "10.5"
},
{
"version_name": "\u003c",
"version_value": "10.7"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SAP Solution Manager and SAP Focused Run (update provided in WILY_INTRO_ENTERPRISE 9.7, 10.1, 10.5, 10.7), allows an unauthenticated attackers to bypass the authentication if the default passwords for Admin and Guest have not been changed by the administrator.This may impact the confidentiality of the service."
}
]
},
"impact": {
"cvss": {
"baseScore": "7.5",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Hard Coded Credentials"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=558632196",
"refsource": "MISC",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=558632196"
},
{
"name": "https://launchpad.support.sap.com/#/notes/2971638",
"refsource": "MISC",
"url": "https://launchpad.support.sap.com/#/notes/2971638"
},
{
"name": "20210614 Onapsis Security Advisory 2021-0009: Hard-coded Credentials in CA Introscope Enterprise Manager",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2021/Jun/31"
},
{
"name": "http://packetstormsecurity.com/files/163159/SAP-Wily-Introscope-Enterprise-Default-Hard-Coded-Credentials.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/163159/SAP-Wily-Introscope-Enterprise-Default-Hard-Coded-Credentials.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2020-6369",
"datePublished": "2020-10-20T13:30:36",
"dateReserved": "2020-01-08T00:00:00",
"dateUpdated": "2024-08-04T09:02:39.880Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2022-04-12 17:15
Modified
2024-11-21 06:56
Severity ?
Summary
A highly privileged remote attacker, can gain unauthorized access to display contents of restricted directories by exploiting insufficient validation of path information in SAP Focused Run (Simple Diagnostics Agent 1.0) - version 1.0.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | http://packetstormsecurity.com/files/167563/SAP-FRUN-Simple-Diagnostics-Agent-1.0-Directory-Traversal.html | Third Party Advisory, VDB Entry | |
| cna@sap.com | http://seclists.org/fulldisclosure/2022/Jun/41 | Mailing List, Third Party Advisory | |
| cna@sap.com | https://launchpad.support.sap.com/#/notes/3159091 | Permissions Required, Vendor Advisory | |
| cna@sap.com | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/167563/SAP-FRUN-Simple-Diagnostics-Agent-1.0-Directory-Traversal.html | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://seclists.org/fulldisclosure/2022/Jun/41 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/3159091 | Permissions Required, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | focused_run | 1.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:focused_run:1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "66DFE7A3-04F1-449E-8437-9EC207F6C6AE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A highly privileged remote attacker, can gain unauthorized access to display contents of restricted directories by exploiting insufficient validation of path information in SAP Focused Run (Simple Diagnostics Agent 1.0) - version 1.0."
},
{
"lang": "es",
"value": "Un atacante remoto con altos privilegios, puede obtener acceso no autorizado para mostrar el contenido de directorios restringidos aprovechando la insuficiente comprobaci\u00f3n de la informaci\u00f3n de la ruta en SAP Focused Run (Simple Diagnostics Agent versi\u00f3n 1.0) - versi\u00f3n 1.0"
}
],
"id": "CVE-2022-27657",
"lastModified": "2024-11-21T06:56:06.977",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-04-12T17:15:10.207",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/167563/SAP-FRUN-Simple-Diagnostics-Agent-1.0-Directory-Traversal.html"
},
{
"source": "cna@sap.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2022/Jun/41"
},
{
"source": "cna@sap.com",
"tags": [
"Permissions Required",
"Vendor Advisory"
],
"url": "https://launchpad.support.sap.com/#/notes/3159091"
},
{
"source": "cna@sap.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/167563/SAP-FRUN-Simple-Diagnostics-Agent-1.0-Directory-Traversal.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2022/Jun/41"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required",
"Vendor Advisory"
],
"url": "https://launchpad.support.sap.com/#/notes/3159091"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "cna@sap.com",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-10-20 14:15
Modified
2024-11-21 05:35
Severity ?
Summary
SAP Solution Manager and SAP Focused Run (update provided in WILY_INTRO_ENTERPRISE 9.7, 10.1, 10.5, 10.7), allows an unauthenticated attackers to bypass the authentication if the default passwords for Admin and Guest have not been changed by the administrator.This may impact the confidentiality of the service.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | http://packetstormsecurity.com/files/163159/SAP-Wily-Introscope-Enterprise-Default-Hard-Coded-Credentials.html | Third Party Advisory | |
| cna@sap.com | http://seclists.org/fulldisclosure/2021/Jun/31 | Mailing List, Third Party Advisory | |
| cna@sap.com | https://launchpad.support.sap.com/#/notes/2971638 | Permissions Required, Vendor Advisory | |
| cna@sap.com | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=558632196 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/163159/SAP-Wily-Introscope-Enterprise-Default-Hard-Coded-Credentials.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://seclists.org/fulldisclosure/2021/Jun/31 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/2971638 | Permissions Required, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=558632196 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | focused_run | 9.7 | |
| sap | focused_run | 10.1 | |
| sap | focused_run | 10.5 | |
| sap | focused_run | 10.7 | |
| sap | solution_manager | 9.7 | |
| sap | solution_manager | 10.1 | |
| sap | solution_manager | 10.5 | |
| sap | solution_manager | 10.7 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:focused_run:9.7:*:*:*:*:*:*:*",
"matchCriteriaId": "943FA0F4-D11F-45B2-9976-09E5D45CBB7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:focused_run:10.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F2501893-6254-4552-9F59-CB8B28F45991",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:focused_run:10.5:*:*:*:*:*:*:*",
"matchCriteriaId": "5367525D-5FB2-4022-B591-845290965C34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:focused_run:10.7:*:*:*:*:*:*:*",
"matchCriteriaId": "D9FED5DC-03E3-49DF-AF2F-05C2D59317E9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:solution_manager:9.7:*:*:*:*:*:*:*",
"matchCriteriaId": "22A5F5BB-C0AE-44AA-939C-44940968486D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:solution_manager:10.1:*:*:*:*:*:*:*",
"matchCriteriaId": "7BE818F0-51D6-4EF8-8FD9-A2A44C423B18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:solution_manager:10.5:*:*:*:*:*:*:*",
"matchCriteriaId": "BE26251F-299E-40FC-8792-192D0D018AC1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:solution_manager:10.7:*:*:*:*:*:*:*",
"matchCriteriaId": "D9EA3D73-6BFB-42BE-B9C7-E98A7926B1B2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SAP Solution Manager and SAP Focused Run (update provided in WILY_INTRO_ENTERPRISE 9.7, 10.1, 10.5, 10.7), allows an unauthenticated attackers to bypass the authentication if the default passwords for Admin and Guest have not been changed by the administrator.This may impact the confidentiality of the service."
},
{
"lang": "es",
"value": "SAP Solution Manager y SAP Focused Run (actualizaci\u00f3n provista en WILY_INTRO_ENTERPRISE versiones 9.7, 10.1, 10.5, 10.7), permite a atacantes no autenticados omitir la autenticaci\u00f3n si el administrador no ha cambiado las contrase\u00f1as predeterminadas para el usuario Admin e Guest. Esto puede afectar la confidencialidad del servicio"
}
],
"id": "CVE-2020-6369",
"lastModified": "2024-11-21T05:35:35.603",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "cna@sap.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-10-20T14:15:14.897",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Third Party Advisory"
],
"url": "http://packetstormsecurity.com/files/163159/SAP-Wily-Introscope-Enterprise-Default-Hard-Coded-Credentials.html"
},
{
"source": "cna@sap.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2021/Jun/31"
},
{
"source": "cna@sap.com",
"tags": [
"Permissions Required",
"Vendor Advisory"
],
"url": "https://launchpad.support.sap.com/#/notes/2971638"
},
{
"source": "cna@sap.com",
"tags": [
"Vendor Advisory"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=558632196"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://packetstormsecurity.com/files/163159/SAP-Wily-Introscope-Enterprise-Default-Hard-Coded-Credentials.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2021/Jun/31"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required",
"Vendor Advisory"
],
"url": "https://launchpad.support.sap.com/#/notes/2971638"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=558632196"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-04-13 19:15
Modified
2024-11-21 05:58
Severity ?
Summary
SAP Focused RUN versions 200, 300, does not perform necessary authorization checks for an authenticated user, which allows a user to call the oData service and manipulate the activation for the SAP EarlyWatch Alert service data collection and sending to SAP without the intended authorization.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://launchpad.support.sap.com/#/notes/3030948 | Permissions Required | |
| cna@sap.com | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=573801649 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/3030948 | Permissions Required | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=573801649 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | focused_run | 200 | |
| sap | focused_run | 300 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:focused_run:200:*:*:*:*:*:*:*",
"matchCriteriaId": "23D18964-F53B-426A-A65B-C47A407992E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:focused_run:300:*:*:*:*:*:*:*",
"matchCriteriaId": "18EAA789-3AAE-4C69-88B6-F457247A19D8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SAP Focused RUN versions 200, 300, does not perform necessary authorization checks for an authenticated user, which allows a user to call the oData service and manipulate the activation for the SAP EarlyWatch Alert service data collection and sending to SAP without the intended authorization."
},
{
"lang": "es",
"value": "SAP Focused RUN versiones 200, 300 no llevan a cabo las comprobaciones de autorizaci\u00f3n necesarias para un usuario autenticado, el cual permite a un usuario llamar al servicio oData y manipular la activaci\u00f3n para la recopilaci\u00f3n y env\u00edo de datos del servicio SAP EarlyWatch Alert a SAP sin la autorizaci\u00f3n prevista"
}
],
"id": "CVE-2021-27609",
"lastModified": "2024-11-21T05:58:17.420",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.0"
},
"exploitabilityScore": 2.1,
"impactScore": 2.5,
"source": "cna@sap.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-04-13T19:15:15.537",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Permissions Required"
],
"url": "https://launchpad.support.sap.com/#/notes/3030948"
},
{
"source": "cna@sap.com",
"tags": [
"Vendor Advisory"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=573801649"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required"
],
"url": "https://launchpad.support.sap.com/#/notes/3030948"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=573801649"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-03-10 17:46
Modified
2024-11-21 06:50
Severity ?
Summary
The SAP Focused Run (Real User Monitoring) - versions 200, 300, REST service does not sufficiently sanitize the input name of the file using multipart/form-data, resulting in Cross-Site Scripting (XSS) vulnerability.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | http://packetstormsecurity.com/files/167559/SAP-FRUN-2.00-3.00-Cross-Site-Scripting.html | Exploit, Third Party Advisory, VDB Entry | |
| cna@sap.com | http://seclists.org/fulldisclosure/2022/Jun/37 | Exploit, Mailing List, Third Party Advisory | |
| cna@sap.com | https://dam.sap.com/mac/embed/public/pdf/a/ucQrx6G.htm?rc=10 | Vendor Advisory | |
| cna@sap.com | https://launchpad.support.sap.com/#/notes/3147283 | Permissions Required, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/167559/SAP-FRUN-2.00-3.00-Cross-Site-Scripting.html | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://seclists.org/fulldisclosure/2022/Jun/37 | Exploit, Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://dam.sap.com/mac/embed/public/pdf/a/ucQrx6G.htm?rc=10 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/3147283 | Permissions Required, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | focused_run | 200 | |
| sap | focused_run | 300 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:focused_run:200:*:*:*:*:*:*:*",
"matchCriteriaId": "23D18964-F53B-426A-A65B-C47A407992E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:focused_run:300:*:*:*:*:*:*:*",
"matchCriteriaId": "18EAA789-3AAE-4C69-88B6-F457247A19D8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The SAP Focused Run (Real User Monitoring) - versions 200, 300, REST service does not sufficiently sanitize the input name of the file using multipart/form-data, resulting in Cross-Site Scripting (XSS) vulnerability."
},
{
"lang": "es",
"value": "El servicio REST de SAP Focused Run (Real User Monitoring) - versiones 200, 300, no sanea suficientemente el nombre de entrada del archivo usando multipart/form-data, resultando en una vulnerabilidad de tipo cross-Site Scripting (XSS)"
}
],
"id": "CVE-2022-24399",
"lastModified": "2024-11-21T06:50:20.337",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-03-10T17:46:11.047",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/167559/SAP-FRUN-2.00-3.00-Cross-Site-Scripting.html"
},
{
"source": "cna@sap.com",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2022/Jun/37"
},
{
"source": "cna@sap.com",
"tags": [
"Vendor Advisory"
],
"url": "https://dam.sap.com/mac/embed/public/pdf/a/ucQrx6G.htm?rc=10"
},
{
"source": "cna@sap.com",
"tags": [
"Permissions Required",
"Vendor Advisory"
],
"url": "https://launchpad.support.sap.com/#/notes/3147283"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/167559/SAP-FRUN-2.00-3.00-Cross-Site-Scripting.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2022/Jun/37"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://dam.sap.com/mac/embed/public/pdf/a/ucQrx6G.htm?rc=10"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required",
"Vendor Advisory"
],
"url": "https://launchpad.support.sap.com/#/notes/3147283"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "cna@sap.com",
"type": "Primary"
}
]
}