Search criteria
21 vulnerabilities found for sapscore by sap
FKIE_CVE-2023-29188
Vulnerability from fkie_nvd - Published: 2023-05-09 01:15 - Updated: 2024-11-21 07:56
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
SAP CRM WebClient UI - versions SAPSCORE 129, S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, S4FND 107, WEBCUIF 701, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800, WEBCUIF 801, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. After successful exploitation, an attacker with user level access can read and modify some sensitive information but cannot delete the data.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | customer_relationship_management_webclient_ui | 7.01 | |
| sap | customer_relationship_management_webclient_ui | 7.31 | |
| sap | customer_relationship_management_webclient_ui | 7.46 | |
| sap | customer_relationship_management_webclient_ui | 7.47 | |
| sap | customer_relationship_management_webclient_ui | 7.48 | |
| sap | customer_relationship_management_webclient_ui | 8.00 | |
| sap | customer_relationship_management_webclient_ui | 8.01 | |
| sap | s4fnd | 1.02 | |
| sap | s4fnd | 102 | |
| sap | s4fnd | 103 | |
| sap | s4fnd | 104 | |
| sap | s4fnd | 105 | |
| sap | s4fnd | 106 | |
| sap | s4fnd | 107 | |
| sap | sapscore | 129 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:7.01:*:*:*:*:*:*:*",
"matchCriteriaId": "314EA6B5-D3E3-4559-A34A-51A6BB4F3E12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:7.31:*:*:*:*:*:*:*",
"matchCriteriaId": "470B27E7-C245-43B3-9ED0-545A06158114",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:7.46:*:*:*:*:*:*:*",
"matchCriteriaId": "3DA5DC54-236B-4832-AA79-6EC111EFFBF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:7.47:*:*:*:*:*:*:*",
"matchCriteriaId": "4056C921-05B8-4465-96CD-429B520AA6B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:7.48:*:*:*:*:*:*:*",
"matchCriteriaId": "A6CBB62D-FDA3-4A23-9175-B9171EA9CE7D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:8.00:*:*:*:*:*:*:*",
"matchCriteriaId": "1440F085-EB15-4910-8AB8-C72E67B8B39E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:8.01:*:*:*:*:*:*:*",
"matchCriteriaId": "F8D60B19-8578-40AF-9A09-5D6EB8D2DB40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:s4fnd:1.02:*:*:*:*:*:*:*",
"matchCriteriaId": "3A88FFDD-4967-4E81-8E44-3F4A7BCCE943",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:s4fnd:102:*:*:*:*:*:*:*",
"matchCriteriaId": "FEA8EA38-C0D1-4EB0-93D5-DEBA8446E685",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:s4fnd:103:*:*:*:*:*:*:*",
"matchCriteriaId": "43ED5850-580C-40F2-ABCD-CCA33B63D4CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:s4fnd:104:*:*:*:*:*:*:*",
"matchCriteriaId": "104C4099-341D-4796-8425-D61A44FB7839",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:s4fnd:105:*:*:*:*:*:*:*",
"matchCriteriaId": "66A663D3-247D-497E-8CE3-4D21E4A43C99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:s4fnd:106:*:*:*:*:*:*:*",
"matchCriteriaId": "09C81075-4864-47A7-9851-DD46EE9B2E78",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:s4fnd:107:*:*:*:*:*:*:*",
"matchCriteriaId": "54AD7034-006C-4698-BF4F-D3584D88EC77",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sapscore:129:*:*:*:*:*:*:*",
"matchCriteriaId": "4ACAA9A2-5CD6-4C6B-829B-CB534FADFAD2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SAP CRM WebClient UI - versions SAPSCORE 129, S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, S4FND 107, WEBCUIF 701, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800, WEBCUIF 801, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. After successful exploitation, an attacker with user level access can read and modify some sensitive information but cannot delete the data.\n\n"
}
],
"id": "CVE-2023-29188",
"lastModified": "2024-11-21T07:56:40.970",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "cna@sap.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-05-09T01:15:08.943",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Broken Link"
],
"url": "https://i7p.wdf.sap.corp/sap/support/notes/3315979"
},
{
"source": "cna@sap.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "https://i7p.wdf.sap.corp/sap/support/notes/3315979"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "cna@sap.com",
"type": "Primary"
}
]
}
FKIE_CVE-2022-31597
Vulnerability from fkie_nvd - Published: 2022-07-12 21:15 - Updated: 2024-11-21 07:04
Severity ?
Summary
Within SAP S/4HANA - versions S4CORE 101, 102, 103, 104, 105, 106, SAPSCORE 127, the application business partner extension for Spain/Slovakia does not perform necessary authorization checks for a low privileged authenticated user over the network, resulting in escalation of privileges leading to low impact on confidentiality and integrity of the data.
References
| URL | Tags | ||
|---|---|---|---|
| cna@sap.com | https://launchpad.support.sap.com/#/notes/3213826 | Permissions Required, Vendor Advisory | |
| cna@sap.com | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/3213826 | Permissions Required, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:s\\/4hana:101:*:*:*:*:*:*:*",
"matchCriteriaId": "E6FE144C-BAF2-4E45-93EE-D70764BDEFD6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:s\\/4hana:102:*:*:*:*:*:*:*",
"matchCriteriaId": "55BACB30-A607-410E-AB05-E991CC19CE12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:s\\/4hana:103:*:*:*:*:*:*:*",
"matchCriteriaId": "95A0C742-4CBD-46B8-B2B3-5949EFC82A6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:s\\/4hana:104:*:*:*:*:*:*:*",
"matchCriteriaId": "14A540DA-F234-4EEA-ADE8-4F6306A86C1E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:s\\/4hana:105:*:*:*:*:*:*:*",
"matchCriteriaId": "088EF501-76F9-44EC-B8B9-AED6F6096C03",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:s\\/4hana:106:*:*:*:*:*:*:*",
"matchCriteriaId": "E0023602-B509-4B20-9B29-20EEE88E1692",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sapscore:127:*:*:*:*:*:*:*",
"matchCriteriaId": "0B2FC5C8-4459-4D5F-B06F-EF52D20AD451",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Within SAP S/4HANA - versions S4CORE 101, 102, 103, 104, 105, 106, SAPSCORE 127, the application business partner extension for Spain/Slovakia does not perform necessary authorization checks for a low privileged authenticated user over the network, resulting in escalation of privileges leading to low impact on confidentiality and integrity of the data."
},
{
"lang": "es",
"value": "Dentro de SAP S/4HANA - versiones S4CORE 101, 102, 103, 104, 105, 106, SAPSCORE versi\u00f3n 127, la extensi\u00f3n de la aplicaci\u00f3n de socios comerciales para Espa\u00f1a/Eslovaquia no lleva a cabo las comprobaciones de autorizaci\u00f3n necesarias para un usuario autenticado con pocos privilegios a trav\u00e9s de la red, resultando en una escalada de privilegios que presenta un impacto bajo en la confidencialidad e integridad de los datos"
}
],
"id": "CVE-2022-31597",
"lastModified": "2024-11-21T07:04:49.053",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-07-12T21:15:10.143",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Permissions Required",
"Vendor Advisory"
],
"url": "https://launchpad.support.sap.com/#/notes/3213826"
},
{
"source": "cna@sap.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required",
"Vendor Advisory"
],
"url": "https://launchpad.support.sap.com/#/notes/3213826"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "cna@sap.com",
"type": "Primary"
}
]
}
FKIE_CVE-2021-33701
Vulnerability from fkie_nvd - Published: 2021-09-15 19:15 - Updated: 2024-11-21 06:09
Severity ?
Summary
DMIS Mobile Plug-In or SAP S/4HANA, versions - DMIS 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 710, 2011_1_731, 710, 2011_1_752, 2020, SAPSCORE 125, S4CORE 102, 102, 103, 104, 105, allows an attacker with access to highly privileged account to execute manipulated query in NDZT tool to gain access to Superuser account, leading to SQL Injection vulnerability, that highly impacts systems Confidentiality, Integrity and Availability.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:dmis:710:*:*:*:*:*:*:*",
"matchCriteriaId": "2C48386F-C6F6-42E5-9959-02F8A6D342FF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:dmis:2011_1_620:*:*:*:*:*:*:*",
"matchCriteriaId": "B7BDA4D1-2A3E-44FA-B4C2-3332190F9EA8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:dmis:2011_1_640:*:*:*:*:*:*:*",
"matchCriteriaId": "6EA96DC2-4DAF-46F5-84CB-3E04FED9D6D7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:dmis:2011_1_700:*:*:*:*:*:*:*",
"matchCriteriaId": "3A24CF8F-3BF0-453E-85A3-1FEAC970F2FA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:dmis:2011_1_710:*:*:*:*:*:*:*",
"matchCriteriaId": "CA15FBA3-6A8A-40F6-8877-92DA36AD6951",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:dmis:2011_1_730:*:*:*:*:*:*:*",
"matchCriteriaId": "0E5DB1DF-AA42-40FF-90C0-5FC2D5D270E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:dmis:2011_1_731:*:*:*:*:*:*:*",
"matchCriteriaId": "F99C414C-4256-44C6-AE0F-22BDFEF7C48A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:dmis:2011_1_752:*:*:*:*:*:*:*",
"matchCriteriaId": "F970480D-5A7A-477E-B7B4-60883E343DC2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:dmis:2020125:*:*:*:*:*:*:*",
"matchCriteriaId": "02C8F50F-F150-42BC-99E1-2AB647052ADD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:s4core:102:*:*:*:*:*:*:*",
"matchCriteriaId": "04C95A73-48EB-446C-A5F0-20E1D6BC1779",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:s4core:103:*:*:*:*:*:*:*",
"matchCriteriaId": "1C3C9003-68A6-4886-8979-9B7D01A35E40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:s4core:104:*:*:*:*:*:*:*",
"matchCriteriaId": "964023CE-6EA4-42BB-93B2-DCE6B36D3F89",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:s4core:105:*:*:*:*:*:*:*",
"matchCriteriaId": "84B775EF-6C11-4FAB-B5E7-8F6C4C5674BE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sapscore:125:*:*:*:*:*:*:*",
"matchCriteriaId": "FE9149EF-F7D0-45AA-99F5-90101F19E282",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "DMIS Mobile Plug-In or SAP S/4HANA, versions - DMIS 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 710, 2011_1_731, 710, 2011_1_752, 2020, SAPSCORE 125, S4CORE 102, 102, 103, 104, 105, allows an attacker with access to highly privileged account to execute manipulated query in NDZT tool to gain access to Superuser account, leading to SQL Injection vulnerability, that highly impacts systems Confidentiality, Integrity and Availability."
},
{
"lang": "es",
"value": "DMIS Mobile Plug-In o SAP S/4HANA, versiones - DMIS 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 710, 2011_1_731, 710, 2011_1_752, 2020, SAPSCORE 125, S4CORE 102, 102, 103, 104, 105, permite a un atacante con acceso a una cuenta altamente privilegiada ejecutar una consulta manipulada en la herramienta NDZT para conseguir acceso a la cuenta Superuser, conllevando a una vulnerabilidad de Inyecci\u00f3n SQL, que presenta un gran impacto en la Confidencialidad, Integridad y Disponibilidad de los sistemas"
}
],
"id": "CVE-2021-33701",
"lastModified": "2024-11-21T06:09:24.077",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"source": "cna@sap.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-09-15T19:15:09.697",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/165303/SAP-Netweaver-IUUC_RECON_RC_COUNT_TABLE_BIG-SQL-Injection.html"
},
{
"source": "cna@sap.com",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/165304/SAP-Netweaver-IUUC_RECON_RC_COUNT_TABLE_BIG-ABAP-Code-Injection.html"
},
{
"source": "cna@sap.com",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2021/Dec/35"
},
{
"source": "cna@sap.com",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2021/Dec/36"
},
{
"source": "cna@sap.com",
"tags": [
"Permissions Required",
"VDB Entry",
"Vendor Advisory"
],
"url": "https://launchpad.support.sap.com/#/notes/3078312"
},
{
"source": "cna@sap.com",
"tags": [
"Vendor Advisory"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/165303/SAP-Netweaver-IUUC_RECON_RC_COUNT_TABLE_BIG-SQL-Injection.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/165304/SAP-Netweaver-IUUC_RECON_RC_COUNT_TABLE_BIG-ABAP-Code-Injection.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2021/Dec/35"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2021/Dec/36"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required",
"VDB Entry",
"Vendor Advisory"
],
"url": "https://launchpad.support.sap.com/#/notes/3078312"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "cna@sap.com",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Secondary"
}
]
}
FKIE_CVE-2019-0245
Vulnerability from fkie_nvd - Published: 2019-01-08 20:29 - Updated: 2024-11-21 04:16
Severity ?
Summary
SAP CRM WebClient UI (fixed in SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
References
| URL | Tags | ||
|---|---|---|---|
| cna@sap.com | http://www.securityfocus.com/bid/106468 | Third Party Advisory, VDB Entry | |
| cna@sap.com | https://launchpad.support.sap.com/#/notes/2588763 | Permissions Required, Vendor Advisory | |
| cna@sap.com | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/106468 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/2588763 | Permissions Required, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | customer_relationship_management_webclient_ui | 7.31 | |
| sap | customer_relationship_management_webclient_ui | 7.46 | |
| sap | customer_relationship_management_webclient_ui | 7.47 | |
| sap | customer_relationship_management_webclient_ui | 7.48 | |
| sap | customer_relationship_management_webclient_ui | 8.00 | |
| sap | customer_relationship_management_webclient_ui | 8.01 | |
| sap | s4fnd | 1.02 | |
| sap | sapscore | 1.12 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:7.31:*:*:*:*:*:*:*",
"matchCriteriaId": "470B27E7-C245-43B3-9ED0-545A06158114",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:7.46:*:*:*:*:*:*:*",
"matchCriteriaId": "3DA5DC54-236B-4832-AA79-6EC111EFFBF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:7.47:*:*:*:*:*:*:*",
"matchCriteriaId": "4056C921-05B8-4465-96CD-429B520AA6B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:7.48:*:*:*:*:*:*:*",
"matchCriteriaId": "A6CBB62D-FDA3-4A23-9175-B9171EA9CE7D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:8.00:*:*:*:*:*:*:*",
"matchCriteriaId": "1440F085-EB15-4910-8AB8-C72E67B8B39E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:8.01:*:*:*:*:*:*:*",
"matchCriteriaId": "F8D60B19-8578-40AF-9A09-5D6EB8D2DB40",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:s4fnd:1.02:*:*:*:*:*:*:*",
"matchCriteriaId": "3A88FFDD-4967-4E81-8E44-3F4A7BCCE943",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:sapscore:1.12:*:*:*:*:*:*:*",
"matchCriteriaId": "16B411D4-96AC-4706-97EA-E2694319154A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SAP CRM WebClient UI (fixed in SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability."
},
{
"lang": "es",
"value": "SAP CRM WebClient UI (solucionado en SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) no valida suficientemente los campos ocultos controlados por el usuario, lo que resulta en una vulnerabilidad de Cross-Site Scripting (XSS)."
}
],
"id": "CVE-2019-0245",
"lastModified": "2024-11-21T04:16:34.450",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-01-08T20:29:00.783",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/106468"
},
{
"source": "cna@sap.com",
"tags": [
"Permissions Required",
"Vendor Advisory"
],
"url": "https://launchpad.support.sap.com/#/notes/2588763"
},
{
"source": "cna@sap.com",
"tags": [
"Vendor Advisory"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/106468"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required",
"Vendor Advisory"
],
"url": "https://launchpad.support.sap.com/#/notes/2588763"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2019-0244
Vulnerability from fkie_nvd - Published: 2019-01-08 20:29 - Updated: 2024-11-21 04:16
Severity ?
Summary
SAP CRM WebClient UI (fixed in SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
References
| URL | Tags | ||
|---|---|---|---|
| cna@sap.com | http://www.securityfocus.com/bid/106473 | Third Party Advisory, VDB Entry | |
| cna@sap.com | https://launchpad.support.sap.com/#/notes/2588763 | Permissions Required, Vendor Advisory | |
| cna@sap.com | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/106473 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/2588763 | Permissions Required, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | customer_relationship_management_webclient_ui | 7.31 | |
| sap | customer_relationship_management_webclient_ui | 7.46 | |
| sap | customer_relationship_management_webclient_ui | 7.47 | |
| sap | customer_relationship_management_webclient_ui | 7.48 | |
| sap | customer_relationship_management_webclient_ui | 8.00 | |
| sap | customer_relationship_management_webclient_ui | 8.01 | |
| sap | s4fnd | 1.02 | |
| sap | sapscore | 1.12 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:7.31:*:*:*:*:*:*:*",
"matchCriteriaId": "470B27E7-C245-43B3-9ED0-545A06158114",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:7.46:*:*:*:*:*:*:*",
"matchCriteriaId": "3DA5DC54-236B-4832-AA79-6EC111EFFBF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:7.47:*:*:*:*:*:*:*",
"matchCriteriaId": "4056C921-05B8-4465-96CD-429B520AA6B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:7.48:*:*:*:*:*:*:*",
"matchCriteriaId": "A6CBB62D-FDA3-4A23-9175-B9171EA9CE7D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:8.00:*:*:*:*:*:*:*",
"matchCriteriaId": "1440F085-EB15-4910-8AB8-C72E67B8B39E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management_webclient_ui:8.01:*:*:*:*:*:*:*",
"matchCriteriaId": "F8D60B19-8578-40AF-9A09-5D6EB8D2DB40",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:s4fnd:1.02:*:*:*:*:*:*:*",
"matchCriteriaId": "3A88FFDD-4967-4E81-8E44-3F4A7BCCE943",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:sapscore:1.12:*:*:*:*:*:*:*",
"matchCriteriaId": "16B411D4-96AC-4706-97EA-E2694319154A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SAP CRM WebClient UI (fixed in SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability."
},
{
"lang": "es",
"value": "SAP CRM WebClient UI (solucionado en SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) no valida suficientemente los campos ocultos controlados por el usuario, lo que resulta en una vulnerabilidad de Cross-Site Scripting (XSS)."
}
],
"id": "CVE-2019-0244",
"lastModified": "2024-11-21T04:16:34.330",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-01-08T20:29:00.737",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/106473"
},
{
"source": "cna@sap.com",
"tags": [
"Permissions Required",
"Vendor Advisory"
],
"url": "https://launchpad.support.sap.com/#/notes/2588763"
},
{
"source": "cna@sap.com",
"tags": [
"Vendor Advisory"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/106473"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required",
"Vendor Advisory"
],
"url": "https://launchpad.support.sap.com/#/notes/2588763"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2018-2484
Vulnerability from fkie_nvd - Published: 2019-01-08 20:29 - Updated: 2024-11-21 04:03
Severity ?
Summary
SAP Enterprise Financial Services (fixed in SAPSCORE 1.13, 1.14, 1.15; S4CORE 1.01, 1.02, 1.03; EA-FINSERV 1.10, 2.0, 5.0, 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0; Bank/CFM 4.63_20) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.
References
| URL | Tags | ||
|---|---|---|---|
| cna@sap.com | http://www.securityfocus.com/bid/106477 | Third Party Advisory, VDB Entry | |
| cna@sap.com | https://launchpad.support.sap.com/#/notes/2662687 | Permissions Required, Vendor Advisory | |
| cna@sap.com | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/106477 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/2662687 | Permissions Required, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | sapscore | 1.13 | |
| sap | sapscore | 1.14 | |
| sap | sapscore | 1.15 | |
| sap | s4core | 1.01 | |
| sap | s4core | 1.02 | |
| sap | s4core | 1.03 | |
| sap | ea-finserv | 1.10 | |
| sap | ea-finserv | 2.0 | |
| sap | ea-finserv | 5.0 | |
| sap | ea-finserv | 6.0 | |
| sap | ea-finserv | 6.03 | |
| sap | ea-finserv | 6.04 | |
| sap | ea-finserv | 6.05 | |
| sap | ea-finserv | 6.06 | |
| sap | ea-finserv | 6.16 | |
| sap | ea-finserv | 6.17 | |
| sap | ea-finserv | 6.18 | |
| sap | ea-finserv | 8.0 | |
| sap | bank\/cfm | 4.63_20 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:sapscore:1.13:*:*:*:*:*:*:*",
"matchCriteriaId": "A7F34FFD-52D4-4137-ACFF-E1D1A5961BC5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sapscore:1.14:*:*:*:*:*:*:*",
"matchCriteriaId": "65BB7CFD-A663-451E-A8E8-8ACD00DAC03D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sapscore:1.15:*:*:*:*:*:*:*",
"matchCriteriaId": "E3C233D8-6DCC-4723-ACC7-E259412E0D95",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:s4core:1.01:*:*:*:*:*:*:*",
"matchCriteriaId": "A80D9723-2BD5-4861-AAC8-C476AE1D6957",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:s4core:1.02:*:*:*:*:*:*:*",
"matchCriteriaId": "FCD8AB6B-B411-4336-9DD7-50D9E1C94FC2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:s4core:1.03:*:*:*:*:*:*:*",
"matchCriteriaId": "17AEBFBA-0E6B-44C9-8E2B-18823944025E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:ea-finserv:1.10:*:*:*:*:*:*:*",
"matchCriteriaId": "03E5225C-6CEA-4D9C-9F39-5FC5C3FBF9BA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:ea-finserv:2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DF0A8603-FE03-4E19-A41A-CD512C64411A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:ea-finserv:5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4225331D-D4A6-4C4B-81CA-AEA5E9752B81",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:ea-finserv:6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "7D988C6A-FFA9-4674-8F4D-D5CF944A2EAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:ea-finserv:6.03:*:*:*:*:*:*:*",
"matchCriteriaId": "B1FF1A3A-2030-4690-875C-5FB11EA69FEE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:ea-finserv:6.04:*:*:*:*:*:*:*",
"matchCriteriaId": "F7B8824B-A919-40E3-82EC-291445014BE8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:ea-finserv:6.05:*:*:*:*:*:*:*",
"matchCriteriaId": "DE5119FD-7E2F-4ECC-9DA9-706FABE46EC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:ea-finserv:6.06:*:*:*:*:*:*:*",
"matchCriteriaId": "4C0060F4-07EB-4B11-A5FE-C6981FBB6458",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:ea-finserv:6.16:*:*:*:*:*:*:*",
"matchCriteriaId": "A3F343C6-A992-49E9-B7FC-8E0CE24F4338",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:ea-finserv:6.17:*:*:*:*:*:*:*",
"matchCriteriaId": "3ABAF511-4A30-4AD1-9C38-EDB9ECBCEEC0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:ea-finserv:6.18:*:*:*:*:*:*:*",
"matchCriteriaId": "B4EDC68A-4DA0-4399-A3CF-A41B7E425E1D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:ea-finserv:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5ECD565C-751A-40D4-831D-4012CE388CDA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:bank\\/cfm:4.63_20:*:*:*:*:*:*:*",
"matchCriteriaId": "978F7B9F-490A-4506-B340-314774D4AFF5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SAP Enterprise Financial Services (fixed in SAPSCORE 1.13, 1.14, 1.15; S4CORE 1.01, 1.02, 1.03; EA-FINSERV 1.10, 2.0, 5.0, 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0; Bank/CFM 4.63_20) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges."
},
{
"lang": "es",
"value": "SAP Enterprise Financial Services (solucionado en SAPSCORE 1.13, 1.14, 1.15; S4CORE 1.01, 1.02, 1.03; EA-FINSERV 1.10, 2.0, 5.0, 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0; Bank/CFM 4.63_20) no realiza las comprobaciones necesarias de autorizaci\u00f3n para un usuario autenticado, lo que resulta en un escalado de privilegios."
}
],
"id": "CVE-2018-2484",
"lastModified": "2024-11-21T04:03:54.007",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-01-08T20:29:00.297",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/106477"
},
{
"source": "cna@sap.com",
"tags": [
"Permissions Required",
"Vendor Advisory"
],
"url": "https://launchpad.support.sap.com/#/notes/2662687"
},
{
"source": "cna@sap.com",
"tags": [
"Vendor Advisory"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/106477"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required",
"Vendor Advisory"
],
"url": "https://launchpad.support.sap.com/#/notes/2662687"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2018-2419
Vulnerability from fkie_nvd - Published: 2018-05-09 20:29 - Updated: 2024-11-21 04:03
Severity ?
3.7 (Low) - CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
4.6 (Medium) - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
4.6 (Medium) - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Summary
SAP Enterprise Financial Services (SAPSCORE 1.11, 1.12; S4CORE 1.01, 1.02; EA-FINSERV 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.
References
| URL | Tags | ||
|---|---|---|---|
| cna@sap.com | http://www.securityfocus.com/bid/104116 | Third Party Advisory, VDB Entry | |
| cna@sap.com | https://blogs.sap.com/2018/05/08/sap-security-patch-day-may-2018/ | Vendor Advisory | |
| cna@sap.com | https://launchpad.support.sap.com/#/notes/2596627 | Permissions Required | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/104116 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blogs.sap.com/2018/05/08/sap-security-patch-day-may-2018/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/2596627 | Permissions Required |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | sapscore | 1.11 | |
| sap | sapscore | 1.12 | |
| sap | s4core | 1.01 | |
| sap | s4core | 1.02 | |
| sap | ea-finserv | 6.04 | |
| sap | ea-finserv | 6.05 | |
| sap | ea-finserv | 6.06 | |
| sap | ea-finserv | 6.16 | |
| sap | ea-finserv | 6.17 | |
| sap | ea-finserv | 6.18 | |
| sap | ea-finserv | 8.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:sapscore:1.11:*:*:*:*:*:*:*",
"matchCriteriaId": "4AA40396-5487-4306-993A-216BEC68AE65",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sapscore:1.12:*:*:*:*:*:*:*",
"matchCriteriaId": "16B411D4-96AC-4706-97EA-E2694319154A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:s4core:1.01:*:*:*:*:*:*:*",
"matchCriteriaId": "A80D9723-2BD5-4861-AAC8-C476AE1D6957",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:s4core:1.02:*:*:*:*:*:*:*",
"matchCriteriaId": "FCD8AB6B-B411-4336-9DD7-50D9E1C94FC2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:ea-finserv:6.04:*:*:*:*:*:*:*",
"matchCriteriaId": "F7B8824B-A919-40E3-82EC-291445014BE8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:ea-finserv:6.05:*:*:*:*:*:*:*",
"matchCriteriaId": "DE5119FD-7E2F-4ECC-9DA9-706FABE46EC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:ea-finserv:6.06:*:*:*:*:*:*:*",
"matchCriteriaId": "4C0060F4-07EB-4B11-A5FE-C6981FBB6458",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:ea-finserv:6.16:*:*:*:*:*:*:*",
"matchCriteriaId": "A3F343C6-A992-49E9-B7FC-8E0CE24F4338",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:ea-finserv:6.17:*:*:*:*:*:*:*",
"matchCriteriaId": "3ABAF511-4A30-4AD1-9C38-EDB9ECBCEEC0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:ea-finserv:6.18:*:*:*:*:*:*:*",
"matchCriteriaId": "B4EDC68A-4DA0-4399-A3CF-A41B7E425E1D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:ea-finserv:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5ECD565C-751A-40D4-831D-4012CE388CDA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SAP Enterprise Financial Services (SAPSCORE 1.11, 1.12; S4CORE 1.01, 1.02; EA-FINSERV 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges."
},
{
"lang": "es",
"value": "SAP Enterprise Financial Services (SAPSCORE 1.11, 1.12; S4CORE 1.01, 1.02; EA-FINSERV 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0) no realiza las comprobaciones necesarias de autorizaci\u00f3n para un usuario autenticado, lo que resulta en un escalado de privilegios."
}
],
"id": "CVE-2018-2419",
"lastModified": "2024-11-21T04:03:46.940",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 1.2,
"impactScore": 2.5,
"source": "cna@sap.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.1,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-05-09T20:29:00.887",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/104116"
},
{
"source": "cna@sap.com",
"tags": [
"Vendor Advisory"
],
"url": "https://blogs.sap.com/2018/05/08/sap-security-patch-day-may-2018/"
},
{
"source": "cna@sap.com",
"tags": [
"Permissions Required"
],
"url": "https://launchpad.support.sap.com/#/notes/2596627"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/104116"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://blogs.sap.com/2018/05/08/sap-security-patch-day-may-2018/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required"
],
"url": "https://launchpad.support.sap.com/#/notes/2596627"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2023-29188 (GCVE-0-2023-29188)
Vulnerability from cvelistv5 – Published: 2023-05-09 00:57 – Updated: 2025-01-28 16:13
VLAI?
Summary
SAP CRM WebClient UI - versions SAPSCORE 129, S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, S4FND 107, WEBCUIF 701, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800, WEBCUIF 801, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. After successful exploitation, an attacker with user level access can read and modify some sensitive information but cannot delete the data.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP CRM WebClient UI |
Affected:
SAPSCORE 129
Affected: S4FND 102 Affected: S4FND 103 Affected: S4FND 104 Affected: S4FND 105 Affected: S4FND 106 Affected: S4FND 107 Affected: WEBCUIF 701 Affected: WEBCUIF 731 Affected: WEBCUIF 746 Affected: WEBCUIF 747 Affected: WEBCUIF 748 Affected: WEBCUIF 800 Affected: WEBCUIF 801 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:00:15.860Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://i7p.wdf.sap.corp/sap/support/notes/3315979"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-29188",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-28T16:13:12.372471Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-28T16:13:33.060Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP CRM WebClient UI",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "SAPSCORE 129"
},
{
"status": "affected",
"version": "S4FND 102"
},
{
"status": "affected",
"version": "S4FND 103"
},
{
"status": "affected",
"version": "S4FND 104"
},
{
"status": "affected",
"version": "S4FND 105"
},
{
"status": "affected",
"version": "S4FND 106"
},
{
"status": "affected",
"version": "S4FND 107"
},
{
"status": "affected",
"version": "WEBCUIF 701"
},
{
"status": "affected",
"version": "WEBCUIF 731"
},
{
"status": "affected",
"version": "WEBCUIF 746"
},
{
"status": "affected",
"version": "WEBCUIF 747"
},
{
"status": "affected",
"version": "WEBCUIF 748"
},
{
"status": "affected",
"version": "WEBCUIF 800"
},
{
"status": "affected",
"version": "WEBCUIF 801"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSAP CRM WebClient UI - versions SAPSCORE 129, S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, S4FND 107, WEBCUIF 701, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800, WEBCUIF 801, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. After successful exploitation, an attacker with user level access can read and modify some sensitive information but cannot delete the data.\u003c/p\u003e"
}
],
"value": "SAP CRM WebClient UI - versions SAPSCORE 129, S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, S4FND 107, WEBCUIF 701, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800, WEBCUIF 801, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. After successful exploitation, an attacker with user level access can read and modify some sensitive information but cannot delete the data.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-09T00:57:57.055Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://i7p.wdf.sap.corp/sap/support/notes/3315979"
},
{
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Cross-Site Scripting (XSS) vulnerability in SAP CRM WebClient UI",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2023-29188",
"datePublished": "2023-05-09T00:57:57.055Z",
"dateReserved": "2023-04-03T09:22:43.158Z",
"dateUpdated": "2025-01-28T16:13:33.060Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-31597 (GCVE-0-2022-31597)
Vulnerability from cvelistv5 – Published: 2022-07-12 20:27 – Updated: 2024-08-03 07:25
VLAI?
Summary
Within SAP S/4HANA - versions S4CORE 101, 102, 103, 104, 105, 106, SAPSCORE 127, the application business partner extension for Spain/Slovakia does not perform necessary authorization checks for a low privileged authenticated user over the network, resulting in escalation of privileges leading to low impact on confidentiality and integrity of the data.
Severity ?
No CVSS data available.
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP S/4HANA |
Affected:
S4CORE 101
Affected: 102 Affected: 103 Affected: 104 Affected: 105 Affected: 106 Affected: SAPSCORE 127 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:25:59.513Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/3213826"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP S/4HANA",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "S4CORE 101"
},
{
"status": "affected",
"version": "102"
},
{
"status": "affected",
"version": "103"
},
{
"status": "affected",
"version": "104"
},
{
"status": "affected",
"version": "105"
},
{
"status": "affected",
"version": "106"
},
{
"status": "affected",
"version": "SAPSCORE 127"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Within SAP S/4HANA - versions S4CORE 101, 102, 103, 104, 105, 106, SAPSCORE 127, the application business partner extension for Spain/Slovakia does not perform necessary authorization checks for a low privileged authenticated user over the network, resulting in escalation of privileges leading to low impact on confidentiality and integrity of the data."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-12T20:27:00",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.support.sap.com/#/notes/3213826"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2022-31597",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP S/4HANA",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "S4CORE 101"
},
{
"version_affected": "=",
"version_value": "102"
},
{
"version_affected": "=",
"version_value": "103"
},
{
"version_affected": "=",
"version_value": "104"
},
{
"version_affected": "=",
"version_value": "105"
},
{
"version_affected": "=",
"version_value": "106"
},
{
"version_affected": "=",
"version_value": "SAPSCORE 127"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Within SAP S/4HANA - versions S4CORE 101, 102, 103, 104, 105, 106, SAPSCORE 127, the application business partner extension for Spain/Slovakia does not perform necessary authorization checks for a low privileged authenticated user over the network, resulting in escalation of privileges leading to low impact on confidentiality and integrity of the data."
}
]
},
"impact": {
"cvss": {
"baseScore": "null",
"vectorString": "null",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-862"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html",
"refsource": "MISC",
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
},
{
"name": "https://launchpad.support.sap.com/#/notes/3213826",
"refsource": "MISC",
"url": "https://launchpad.support.sap.com/#/notes/3213826"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2022-31597",
"datePublished": "2022-07-12T20:27:00",
"dateReserved": "2022-05-24T00:00:00",
"dateUpdated": "2024-08-03T07:25:59.513Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-33701 (GCVE-0-2021-33701)
Vulnerability from cvelistv5 – Published: 2021-09-15 18:01 – Updated: 2024-08-03 23:58
VLAI?
Summary
DMIS Mobile Plug-In or SAP S/4HANA, versions - DMIS 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 710, 2011_1_731, 710, 2011_1_752, 2020, SAPSCORE 125, S4CORE 102, 102, 103, 104, 105, allows an attacker with access to highly privileged account to execute manipulated query in NDZT tool to gain access to Superuser account, leading to SQL Injection vulnerability, that highly impacts systems Confidentiality, Integrity and Availability.
Severity ?
9.1 (Critical)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection�)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| SAP SE | DMIS Mobile Plug-In |
Affected:
< DMIS 2011_1_620
Affected: < 2011_1_640 Affected: < 2011_1_700 Affected: < 2011_1_710 Affected: < 2011_1_730 Affected: < 710 Affected: < 2011_1_731 Affected: < 2011_1_752 Affected: < 2020 |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:58:22.494Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/3078312"
},
{
"name": "20211214 SEC Consult SA-20211214-1 :: Remote ABAP Code Injection in SAP Netweaver IUUC_RECON_RC_COUNT_TABLE_BIG",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2021/Dec/36"
},
{
"name": "20211214 SEC Consult SA-20211214-0 :: Remote ADBC SQL Injection in SAP Netweaver IUUC_RECON_RC_COUNT_TABLE_BIG",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2021/Dec/35"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/165303/SAP-Netweaver-IUUC_RECON_RC_COUNT_TABLE_BIG-SQL-Injection.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/165304/SAP-Netweaver-IUUC_RECON_RC_COUNT_TABLE_BIG-ABAP-Code-Injection.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "DMIS Mobile Plug-In",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c DMIS 2011_1_620"
},
{
"status": "affected",
"version": "\u003c 2011_1_640"
},
{
"status": "affected",
"version": "\u003c 2011_1_700"
},
{
"status": "affected",
"version": "\u003c 2011_1_710"
},
{
"status": "affected",
"version": "\u003c 2011_1_730"
},
{
"status": "affected",
"version": "\u003c 710"
},
{
"status": "affected",
"version": "\u003c 2011_1_731"
},
{
"status": "affected",
"version": "\u003c 2011_1_752"
},
{
"status": "affected",
"version": "\u003c 2020"
}
]
},
{
"product": "SAP S/4HANA",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c SAPSCORE 125"
},
{
"status": "affected",
"version": "\u003c S4CORE 102"
},
{
"status": "affected",
"version": "\u003c 102"
},
{
"status": "affected",
"version": "\u003c 103"
},
{
"status": "affected",
"version": "\u003c 104"
},
{
"status": "affected",
"version": "\u003c 105"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "DMIS Mobile Plug-In or SAP S/4HANA, versions - DMIS 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 710, 2011_1_731, 710, 2011_1_752, 2020, SAPSCORE 125, S4CORE 102, 102, 103, 104, 105, allows an attacker with access to highly privileged account to execute manipulated query in NDZT tool to gain access to Superuser account, leading to SQL Injection vulnerability, that highly impacts systems Confidentiality, Integrity and Availability."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\ufffd)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-15T17:06:24",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.support.sap.com/#/notes/3078312"
},
{
"name": "20211214 SEC Consult SA-20211214-1 :: Remote ABAP Code Injection in SAP Netweaver IUUC_RECON_RC_COUNT_TABLE_BIG",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2021/Dec/36"
},
{
"name": "20211214 SEC Consult SA-20211214-0 :: Remote ADBC SQL Injection in SAP Netweaver IUUC_RECON_RC_COUNT_TABLE_BIG",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2021/Dec/35"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/165303/SAP-Netweaver-IUUC_RECON_RC_COUNT_TABLE_BIG-SQL-Injection.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/165304/SAP-Netweaver-IUUC_RECON_RC_COUNT_TABLE_BIG-ABAP-Code-Injection.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2021-33701",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "DMIS Mobile Plug-In",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "DMIS 2011_1_620"
},
{
"version_name": "\u003c",
"version_value": "2011_1_640"
},
{
"version_name": "\u003c",
"version_value": "2011_1_700"
},
{
"version_name": "\u003c",
"version_value": "2011_1_710"
},
{
"version_name": "\u003c",
"version_value": "2011_1_730"
},
{
"version_name": "\u003c",
"version_value": "710"
},
{
"version_name": "\u003c",
"version_value": "2011_1_731"
},
{
"version_name": "\u003c",
"version_value": "710"
},
{
"version_name": "\u003c",
"version_value": "2011_1_752"
},
{
"version_name": "\u003c",
"version_value": "2020"
}
]
}
},
{
"product_name": "SAP S/4HANA",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "SAPSCORE 125"
},
{
"version_name": "\u003c",
"version_value": "S4CORE 102"
},
{
"version_name": "\u003c",
"version_value": "102"
},
{
"version_name": "\u003c",
"version_value": "103"
},
{
"version_name": "\u003c",
"version_value": "104"
},
{
"version_name": "\u003c",
"version_value": "105"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "DMIS Mobile Plug-In or SAP S/4HANA, versions - DMIS 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 710, 2011_1_731, 710, 2011_1_752, 2020, SAPSCORE 125, S4CORE 102, 102, 103, 104, 105, allows an attacker with access to highly privileged account to execute manipulated query in NDZT tool to gain access to Superuser account, leading to SQL Injection vulnerability, that highly impacts systems Confidentiality, Integrity and Availability."
}
]
},
"impact": {
"cvss": {
"baseScore": "9.1",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\ufffd)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806",
"refsource": "MISC",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806"
},
{
"name": "https://launchpad.support.sap.com/#/notes/3078312",
"refsource": "MISC",
"url": "https://launchpad.support.sap.com/#/notes/3078312"
},
{
"name": "20211214 SEC Consult SA-20211214-1 :: Remote ABAP Code Injection in SAP Netweaver IUUC_RECON_RC_COUNT_TABLE_BIG",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2021/Dec/36"
},
{
"name": "20211214 SEC Consult SA-20211214-0 :: Remote ADBC SQL Injection in SAP Netweaver IUUC_RECON_RC_COUNT_TABLE_BIG",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2021/Dec/35"
},
{
"name": "http://packetstormsecurity.com/files/165303/SAP-Netweaver-IUUC_RECON_RC_COUNT_TABLE_BIG-SQL-Injection.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/165303/SAP-Netweaver-IUUC_RECON_RC_COUNT_TABLE_BIG-SQL-Injection.html"
},
{
"name": "http://packetstormsecurity.com/files/165304/SAP-Netweaver-IUUC_RECON_RC_COUNT_TABLE_BIG-ABAP-Code-Injection.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/165304/SAP-Netweaver-IUUC_RECON_RC_COUNT_TABLE_BIG-ABAP-Code-Injection.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2021-33701",
"datePublished": "2021-09-15T18:01:55",
"dateReserved": "2021-05-28T00:00:00",
"dateUpdated": "2024-08-03T23:58:22.494Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-0245 (GCVE-0-2019-0245)
Vulnerability from cvelistv5 – Published: 2019-01-08 20:00 – Updated: 2024-08-04 17:44
VLAI?
Summary
SAP CRM WebClient UI (fixed in SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
Severity ?
No CVSS data available.
CWE
- Cross-Site Scripting
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| SAP SE | SAP CRM WebClient UI (SAPSCORE) |
Affected:
< 1.12
|
||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:44:15.952Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/2588763"
},
{
"name": "106468",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/106468"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP CRM WebClient UI (SAPSCORE)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 1.12"
}
]
},
{
"product": "SAP CRM WebClient UI (S4FND)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 1.02"
}
]
},
{
"product": "SAP CRM WebClient UI (WEBCUIF)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 7.31"
},
{
"status": "affected",
"version": "\u003c 7.46"
},
{
"status": "affected",
"version": "\u003c 7.47"
},
{
"status": "affected",
"version": "\u003c 7.48"
},
{
"status": "affected",
"version": "\u003c 8.0"
},
{
"status": "affected",
"version": "\u003c 8.01"
}
]
}
],
"datePublic": "2019-01-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SAP CRM WebClient UI (fixed in SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-01-09T10:57:01",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.support.sap.com/#/notes/2588763"
},
{
"name": "106468",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/106468"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2019-0245",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP CRM WebClient UI (SAPSCORE)",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "1.12"
}
]
}
},
{
"product_name": "SAP CRM WebClient UI (S4FND)",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "1.02"
}
]
}
},
{
"product_name": "SAP CRM WebClient UI (WEBCUIF)",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "7.31"
},
{
"version_name": "\u003c",
"version_value": "7.46"
},
{
"version_name": "\u003c",
"version_value": "7.47"
},
{
"version_name": "\u003c",
"version_value": "7.48"
},
{
"version_name": "\u003c",
"version_value": "8.0"
},
{
"version_name": "\u003c",
"version_value": "8.01"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SAP CRM WebClient UI (fixed in SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://launchpad.support.sap.com/#/notes/2588763",
"refsource": "MISC",
"url": "https://launchpad.support.sap.com/#/notes/2588763"
},
{
"name": "106468",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/106468"
},
{
"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985",
"refsource": "MISC",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2019-0245",
"datePublished": "2019-01-08T20:00:00",
"dateReserved": "2018-11-26T00:00:00",
"dateUpdated": "2024-08-04T17:44:15.952Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-0244 (GCVE-0-2019-0244)
Vulnerability from cvelistv5 – Published: 2019-01-08 20:00 – Updated: 2024-08-04 17:44
VLAI?
Summary
SAP CRM WebClient UI (fixed in SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
Severity ?
No CVSS data available.
CWE
- Cross-Site Scripting
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| SAP SE | SAP CRM WebClient UI (SAPSCORE) |
Affected:
< 1.12
|
||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:44:16.026Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/2588763"
},
{
"name": "106473",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/106473"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP CRM WebClient UI (SAPSCORE)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 1.12"
}
]
},
{
"product": "SAP CRM WebClient UI (S4FND)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 1.02"
}
]
},
{
"product": "SAP CRM WebClient UI (WEBCUIF)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 7.31"
},
{
"status": "affected",
"version": "\u003c 7.46"
},
{
"status": "affected",
"version": "\u003c 7.47"
},
{
"status": "affected",
"version": "\u003c 7.48"
},
{
"status": "affected",
"version": "\u003c 8.0"
},
{
"status": "affected",
"version": "\u003c 8.01"
}
]
}
],
"datePublic": "2019-01-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SAP CRM WebClient UI (fixed in SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-01-09T10:57:01",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.support.sap.com/#/notes/2588763"
},
{
"name": "106473",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/106473"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2019-0244",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP CRM WebClient UI (SAPSCORE)",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "1.12"
}
]
}
},
{
"product_name": "SAP CRM WebClient UI (S4FND)",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "1.02"
}
]
}
},
{
"product_name": "SAP CRM WebClient UI (WEBCUIF)",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "7.31"
},
{
"version_name": "\u003c",
"version_value": "7.46"
},
{
"version_name": "\u003c",
"version_value": "7.47"
},
{
"version_name": "\u003c",
"version_value": "7.48"
},
{
"version_name": "\u003c",
"version_value": "8.0"
},
{
"version_name": "\u003c",
"version_value": "8.01"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SAP CRM WebClient UI (fixed in SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://launchpad.support.sap.com/#/notes/2588763",
"refsource": "MISC",
"url": "https://launchpad.support.sap.com/#/notes/2588763"
},
{
"name": "106473",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/106473"
},
{
"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985",
"refsource": "MISC",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2019-0244",
"datePublished": "2019-01-08T20:00:00",
"dateReserved": "2018-11-26T00:00:00",
"dateUpdated": "2024-08-04T17:44:16.026Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-2484 (GCVE-0-2018-2484)
Vulnerability from cvelistv5 – Published: 2019-01-08 20:00 – Updated: 2024-08-05 04:21
VLAI?
Summary
SAP Enterprise Financial Services (fixed in SAPSCORE 1.13, 1.14, 1.15; S4CORE 1.01, 1.02, 1.03; EA-FINSERV 1.10, 2.0, 5.0, 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0; Bank/CFM 4.63_20) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.
Severity ?
No CVSS data available.
CWE
- Missing Authorization Check
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| SAP SE | SAP Enterprise Financial Services (SAPSCORE) |
Affected:
< 1.13
Affected: < 1.14 Affected: < 1.15 |
|||||||||||||||||
|
|||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T04:21:33.945Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/2662687"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985"
},
{
"name": "106477",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/106477"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP Enterprise Financial Services (SAPSCORE)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 1.13"
},
{
"status": "affected",
"version": "\u003c 1.14"
},
{
"status": "affected",
"version": "\u003c 1.15"
}
]
},
{
"product": "SAP Enterprise Financial Services (S4CORE)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 1.01"
},
{
"status": "affected",
"version": "\u003c 1.02"
},
{
"status": "affected",
"version": "\u003c 1.03"
}
]
},
{
"product": "SAP Enterprise Financial Services (EA-FINSERV)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 1.10"
},
{
"status": "affected",
"version": "\u003c 2.0"
},
{
"status": "affected",
"version": "\u003c 5.0"
},
{
"status": "affected",
"version": "\u003c 6.0"
},
{
"status": "affected",
"version": "\u003c 6.03"
},
{
"status": "affected",
"version": "\u003c 6.04"
},
{
"status": "affected",
"version": "\u003c 6.05"
},
{
"status": "affected",
"version": "\u003c 6.06"
},
{
"status": "affected",
"version": "\u003c 6.16"
},
{
"status": "affected",
"version": "\u003c 6.17"
},
{
"status": "affected",
"version": "\u003c 6.18"
},
{
"status": "affected",
"version": "\u003c 8.0"
}
]
},
{
"product": "SAP Enterprise Financial Services (Bank/CFM)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 4.63_20"
}
]
}
],
"datePublic": "2019-01-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SAP Enterprise Financial Services (fixed in SAPSCORE 1.13, 1.14, 1.15; S4CORE 1.01, 1.02, 1.03; EA-FINSERV 1.10, 2.0, 5.0, 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0; Bank/CFM 4.63_20) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Missing Authorization Check",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-01-09T10:57:01",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.support.sap.com/#/notes/2662687"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985"
},
{
"name": "106477",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/106477"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2018-2484",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP Enterprise Financial Services (SAPSCORE)",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "1.13"
},
{
"version_name": "\u003c",
"version_value": "1.14"
},
{
"version_name": "\u003c",
"version_value": "1.15"
}
]
}
},
{
"product_name": "SAP Enterprise Financial Services (S4CORE)",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "1.01"
},
{
"version_name": "\u003c",
"version_value": "1.02"
},
{
"version_name": "\u003c",
"version_value": "1.03"
}
]
}
},
{
"product_name": "SAP Enterprise Financial Services (EA-FINSERV)",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "1.10"
},
{
"version_name": "\u003c",
"version_value": "2.0"
},
{
"version_name": "\u003c",
"version_value": "5.0"
},
{
"version_name": "\u003c",
"version_value": "6.0"
},
{
"version_name": "\u003c",
"version_value": "6.03"
},
{
"version_name": "\u003c",
"version_value": "6.04"
},
{
"version_name": "\u003c",
"version_value": "6.05"
},
{
"version_name": "\u003c",
"version_value": "6.06"
},
{
"version_name": "\u003c",
"version_value": "6.16"
},
{
"version_name": "\u003c",
"version_value": "6.17"
},
{
"version_name": "\u003c",
"version_value": "6.18"
},
{
"version_name": "\u003c",
"version_value": "8.0"
}
]
}
},
{
"product_name": "SAP Enterprise Financial Services (Bank/CFM)",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "4.63_20"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SAP Enterprise Financial Services (fixed in SAPSCORE 1.13, 1.14, 1.15; S4CORE 1.01, 1.02, 1.03; EA-FINSERV 1.10, 2.0, 5.0, 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0; Bank/CFM 4.63_20) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Missing Authorization Check"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://launchpad.support.sap.com/#/notes/2662687",
"refsource": "MISC",
"url": "https://launchpad.support.sap.com/#/notes/2662687"
},
{
"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985",
"refsource": "MISC",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985"
},
{
"name": "106477",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/106477"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2018-2484",
"datePublished": "2019-01-08T20:00:00",
"dateReserved": "2017-12-15T00:00:00",
"dateUpdated": "2024-08-05T04:21:33.945Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-2419 (GCVE-0-2018-2419)
Vulnerability from cvelistv5 – Published: 2018-05-09 20:00 – Updated: 2024-08-05 04:21
VLAI?
Summary
SAP Enterprise Financial Services (SAPSCORE 1.11, 1.12; S4CORE 1.01, 1.02; EA-FINSERV 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.
Severity ?
CWE
- Missing Authorization Check
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| SAP SE | SAP Enterprise Financial Services (SAPSCORE) |
Affected:
1.11
Affected: 1.12 |
||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T04:21:33.627Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://blogs.sap.com/2018/05/08/sap-security-patch-day-may-2018/"
},
{
"name": "104116",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/104116"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/2596627"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP Enterprise Financial Services (SAPSCORE)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "1.11"
},
{
"status": "affected",
"version": "1.12"
}
]
},
{
"product": "SAP Enterprise Financial Services (S4CORE)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "1.01"
},
{
"status": "affected",
"version": "1.02"
}
]
},
{
"product": "SAP Enterprise Financial Services (EA-FINSERV)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "6.04"
},
{
"status": "affected",
"version": "6.05"
},
{
"status": "affected",
"version": "6.06"
},
{
"status": "affected",
"version": "6.16"
},
{
"status": "affected",
"version": "6.17"
},
{
"status": "affected",
"version": "6.18"
},
{
"status": "affected",
"version": "8.0"
}
]
}
],
"datePublic": "2018-05-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SAP Enterprise Financial Services (SAPSCORE 1.11, 1.12; S4CORE 1.01, 1.02; EA-FINSERV 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Missing Authorization Check",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-05-10T09:57:01",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://blogs.sap.com/2018/05/08/sap-security-patch-day-may-2018/"
},
{
"name": "104116",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/104116"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.support.sap.com/#/notes/2596627"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2018-2419",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP Enterprise Financial Services (SAPSCORE)",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "1.11"
},
{
"version_affected": "=",
"version_value": "1.12"
}
]
}
},
{
"product_name": "SAP Enterprise Financial Services (S4CORE)",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "1.01"
},
{
"version_affected": "=",
"version_value": "1.02"
}
]
}
},
{
"product_name": "SAP Enterprise Financial Services (EA-FINSERV)",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "6.04"
},
{
"version_affected": "=",
"version_value": "6.05"
},
{
"version_affected": "=",
"version_value": "6.06"
},
{
"version_affected": "=",
"version_value": "6.16"
},
{
"version_affected": "=",
"version_value": "6.17"
},
{
"version_affected": "=",
"version_value": "6.18"
},
{
"version_affected": "=",
"version_value": "8.0"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SAP Enterprise Financial Services (SAPSCORE 1.11, 1.12; S4CORE 1.01, 1.02; EA-FINSERV 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Missing Authorization Check"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blogs.sap.com/2018/05/08/sap-security-patch-day-may-2018/",
"refsource": "CONFIRM",
"url": "https://blogs.sap.com/2018/05/08/sap-security-patch-day-may-2018/"
},
{
"name": "104116",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/104116"
},
{
"name": "https://launchpad.support.sap.com/#/notes/2596627",
"refsource": "MISC",
"url": "https://launchpad.support.sap.com/#/notes/2596627"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2018-2419",
"datePublished": "2018-05-09T20:00:00",
"dateReserved": "2017-12-15T00:00:00",
"dateUpdated": "2024-08-05T04:21:33.627Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-29188 (GCVE-0-2023-29188)
Vulnerability from nvd – Published: 2023-05-09 00:57 – Updated: 2025-01-28 16:13
VLAI?
Summary
SAP CRM WebClient UI - versions SAPSCORE 129, S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, S4FND 107, WEBCUIF 701, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800, WEBCUIF 801, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. After successful exploitation, an attacker with user level access can read and modify some sensitive information but cannot delete the data.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP CRM WebClient UI |
Affected:
SAPSCORE 129
Affected: S4FND 102 Affected: S4FND 103 Affected: S4FND 104 Affected: S4FND 105 Affected: S4FND 106 Affected: S4FND 107 Affected: WEBCUIF 701 Affected: WEBCUIF 731 Affected: WEBCUIF 746 Affected: WEBCUIF 747 Affected: WEBCUIF 748 Affected: WEBCUIF 800 Affected: WEBCUIF 801 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:00:15.860Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://i7p.wdf.sap.corp/sap/support/notes/3315979"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-29188",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-28T16:13:12.372471Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-28T16:13:33.060Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP CRM WebClient UI",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "SAPSCORE 129"
},
{
"status": "affected",
"version": "S4FND 102"
},
{
"status": "affected",
"version": "S4FND 103"
},
{
"status": "affected",
"version": "S4FND 104"
},
{
"status": "affected",
"version": "S4FND 105"
},
{
"status": "affected",
"version": "S4FND 106"
},
{
"status": "affected",
"version": "S4FND 107"
},
{
"status": "affected",
"version": "WEBCUIF 701"
},
{
"status": "affected",
"version": "WEBCUIF 731"
},
{
"status": "affected",
"version": "WEBCUIF 746"
},
{
"status": "affected",
"version": "WEBCUIF 747"
},
{
"status": "affected",
"version": "WEBCUIF 748"
},
{
"status": "affected",
"version": "WEBCUIF 800"
},
{
"status": "affected",
"version": "WEBCUIF 801"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSAP CRM WebClient UI - versions SAPSCORE 129, S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, S4FND 107, WEBCUIF 701, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800, WEBCUIF 801, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. After successful exploitation, an attacker with user level access can read and modify some sensitive information but cannot delete the data.\u003c/p\u003e"
}
],
"value": "SAP CRM WebClient UI - versions SAPSCORE 129, S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, S4FND 107, WEBCUIF 701, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800, WEBCUIF 801, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. After successful exploitation, an attacker with user level access can read and modify some sensitive information but cannot delete the data.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-09T00:57:57.055Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://i7p.wdf.sap.corp/sap/support/notes/3315979"
},
{
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Cross-Site Scripting (XSS) vulnerability in SAP CRM WebClient UI",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2023-29188",
"datePublished": "2023-05-09T00:57:57.055Z",
"dateReserved": "2023-04-03T09:22:43.158Z",
"dateUpdated": "2025-01-28T16:13:33.060Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-31597 (GCVE-0-2022-31597)
Vulnerability from nvd – Published: 2022-07-12 20:27 – Updated: 2024-08-03 07:25
VLAI?
Summary
Within SAP S/4HANA - versions S4CORE 101, 102, 103, 104, 105, 106, SAPSCORE 127, the application business partner extension for Spain/Slovakia does not perform necessary authorization checks for a low privileged authenticated user over the network, resulting in escalation of privileges leading to low impact on confidentiality and integrity of the data.
Severity ?
No CVSS data available.
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP S/4HANA |
Affected:
S4CORE 101
Affected: 102 Affected: 103 Affected: 104 Affected: 105 Affected: 106 Affected: SAPSCORE 127 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:25:59.513Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/3213826"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP S/4HANA",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "S4CORE 101"
},
{
"status": "affected",
"version": "102"
},
{
"status": "affected",
"version": "103"
},
{
"status": "affected",
"version": "104"
},
{
"status": "affected",
"version": "105"
},
{
"status": "affected",
"version": "106"
},
{
"status": "affected",
"version": "SAPSCORE 127"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Within SAP S/4HANA - versions S4CORE 101, 102, 103, 104, 105, 106, SAPSCORE 127, the application business partner extension for Spain/Slovakia does not perform necessary authorization checks for a low privileged authenticated user over the network, resulting in escalation of privileges leading to low impact on confidentiality and integrity of the data."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-12T20:27:00",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.support.sap.com/#/notes/3213826"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2022-31597",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP S/4HANA",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "S4CORE 101"
},
{
"version_affected": "=",
"version_value": "102"
},
{
"version_affected": "=",
"version_value": "103"
},
{
"version_affected": "=",
"version_value": "104"
},
{
"version_affected": "=",
"version_value": "105"
},
{
"version_affected": "=",
"version_value": "106"
},
{
"version_affected": "=",
"version_value": "SAPSCORE 127"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Within SAP S/4HANA - versions S4CORE 101, 102, 103, 104, 105, 106, SAPSCORE 127, the application business partner extension for Spain/Slovakia does not perform necessary authorization checks for a low privileged authenticated user over the network, resulting in escalation of privileges leading to low impact on confidentiality and integrity of the data."
}
]
},
"impact": {
"cvss": {
"baseScore": "null",
"vectorString": "null",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-862"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html",
"refsource": "MISC",
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
},
{
"name": "https://launchpad.support.sap.com/#/notes/3213826",
"refsource": "MISC",
"url": "https://launchpad.support.sap.com/#/notes/3213826"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2022-31597",
"datePublished": "2022-07-12T20:27:00",
"dateReserved": "2022-05-24T00:00:00",
"dateUpdated": "2024-08-03T07:25:59.513Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-33701 (GCVE-0-2021-33701)
Vulnerability from nvd – Published: 2021-09-15 18:01 – Updated: 2024-08-03 23:58
VLAI?
Summary
DMIS Mobile Plug-In or SAP S/4HANA, versions - DMIS 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 710, 2011_1_731, 710, 2011_1_752, 2020, SAPSCORE 125, S4CORE 102, 102, 103, 104, 105, allows an attacker with access to highly privileged account to execute manipulated query in NDZT tool to gain access to Superuser account, leading to SQL Injection vulnerability, that highly impacts systems Confidentiality, Integrity and Availability.
Severity ?
9.1 (Critical)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection�)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| SAP SE | DMIS Mobile Plug-In |
Affected:
< DMIS 2011_1_620
Affected: < 2011_1_640 Affected: < 2011_1_700 Affected: < 2011_1_710 Affected: < 2011_1_730 Affected: < 710 Affected: < 2011_1_731 Affected: < 2011_1_752 Affected: < 2020 |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:58:22.494Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/3078312"
},
{
"name": "20211214 SEC Consult SA-20211214-1 :: Remote ABAP Code Injection in SAP Netweaver IUUC_RECON_RC_COUNT_TABLE_BIG",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2021/Dec/36"
},
{
"name": "20211214 SEC Consult SA-20211214-0 :: Remote ADBC SQL Injection in SAP Netweaver IUUC_RECON_RC_COUNT_TABLE_BIG",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2021/Dec/35"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/165303/SAP-Netweaver-IUUC_RECON_RC_COUNT_TABLE_BIG-SQL-Injection.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/165304/SAP-Netweaver-IUUC_RECON_RC_COUNT_TABLE_BIG-ABAP-Code-Injection.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "DMIS Mobile Plug-In",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c DMIS 2011_1_620"
},
{
"status": "affected",
"version": "\u003c 2011_1_640"
},
{
"status": "affected",
"version": "\u003c 2011_1_700"
},
{
"status": "affected",
"version": "\u003c 2011_1_710"
},
{
"status": "affected",
"version": "\u003c 2011_1_730"
},
{
"status": "affected",
"version": "\u003c 710"
},
{
"status": "affected",
"version": "\u003c 2011_1_731"
},
{
"status": "affected",
"version": "\u003c 2011_1_752"
},
{
"status": "affected",
"version": "\u003c 2020"
}
]
},
{
"product": "SAP S/4HANA",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c SAPSCORE 125"
},
{
"status": "affected",
"version": "\u003c S4CORE 102"
},
{
"status": "affected",
"version": "\u003c 102"
},
{
"status": "affected",
"version": "\u003c 103"
},
{
"status": "affected",
"version": "\u003c 104"
},
{
"status": "affected",
"version": "\u003c 105"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "DMIS Mobile Plug-In or SAP S/4HANA, versions - DMIS 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 710, 2011_1_731, 710, 2011_1_752, 2020, SAPSCORE 125, S4CORE 102, 102, 103, 104, 105, allows an attacker with access to highly privileged account to execute manipulated query in NDZT tool to gain access to Superuser account, leading to SQL Injection vulnerability, that highly impacts systems Confidentiality, Integrity and Availability."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\ufffd)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-15T17:06:24",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.support.sap.com/#/notes/3078312"
},
{
"name": "20211214 SEC Consult SA-20211214-1 :: Remote ABAP Code Injection in SAP Netweaver IUUC_RECON_RC_COUNT_TABLE_BIG",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2021/Dec/36"
},
{
"name": "20211214 SEC Consult SA-20211214-0 :: Remote ADBC SQL Injection in SAP Netweaver IUUC_RECON_RC_COUNT_TABLE_BIG",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2021/Dec/35"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/165303/SAP-Netweaver-IUUC_RECON_RC_COUNT_TABLE_BIG-SQL-Injection.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/165304/SAP-Netweaver-IUUC_RECON_RC_COUNT_TABLE_BIG-ABAP-Code-Injection.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2021-33701",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "DMIS Mobile Plug-In",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "DMIS 2011_1_620"
},
{
"version_name": "\u003c",
"version_value": "2011_1_640"
},
{
"version_name": "\u003c",
"version_value": "2011_1_700"
},
{
"version_name": "\u003c",
"version_value": "2011_1_710"
},
{
"version_name": "\u003c",
"version_value": "2011_1_730"
},
{
"version_name": "\u003c",
"version_value": "710"
},
{
"version_name": "\u003c",
"version_value": "2011_1_731"
},
{
"version_name": "\u003c",
"version_value": "710"
},
{
"version_name": "\u003c",
"version_value": "2011_1_752"
},
{
"version_name": "\u003c",
"version_value": "2020"
}
]
}
},
{
"product_name": "SAP S/4HANA",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "SAPSCORE 125"
},
{
"version_name": "\u003c",
"version_value": "S4CORE 102"
},
{
"version_name": "\u003c",
"version_value": "102"
},
{
"version_name": "\u003c",
"version_value": "103"
},
{
"version_name": "\u003c",
"version_value": "104"
},
{
"version_name": "\u003c",
"version_value": "105"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "DMIS Mobile Plug-In or SAP S/4HANA, versions - DMIS 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 710, 2011_1_731, 710, 2011_1_752, 2020, SAPSCORE 125, S4CORE 102, 102, 103, 104, 105, allows an attacker with access to highly privileged account to execute manipulated query in NDZT tool to gain access to Superuser account, leading to SQL Injection vulnerability, that highly impacts systems Confidentiality, Integrity and Availability."
}
]
},
"impact": {
"cvss": {
"baseScore": "9.1",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\ufffd)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806",
"refsource": "MISC",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806"
},
{
"name": "https://launchpad.support.sap.com/#/notes/3078312",
"refsource": "MISC",
"url": "https://launchpad.support.sap.com/#/notes/3078312"
},
{
"name": "20211214 SEC Consult SA-20211214-1 :: Remote ABAP Code Injection in SAP Netweaver IUUC_RECON_RC_COUNT_TABLE_BIG",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2021/Dec/36"
},
{
"name": "20211214 SEC Consult SA-20211214-0 :: Remote ADBC SQL Injection in SAP Netweaver IUUC_RECON_RC_COUNT_TABLE_BIG",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2021/Dec/35"
},
{
"name": "http://packetstormsecurity.com/files/165303/SAP-Netweaver-IUUC_RECON_RC_COUNT_TABLE_BIG-SQL-Injection.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/165303/SAP-Netweaver-IUUC_RECON_RC_COUNT_TABLE_BIG-SQL-Injection.html"
},
{
"name": "http://packetstormsecurity.com/files/165304/SAP-Netweaver-IUUC_RECON_RC_COUNT_TABLE_BIG-ABAP-Code-Injection.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/165304/SAP-Netweaver-IUUC_RECON_RC_COUNT_TABLE_BIG-ABAP-Code-Injection.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2021-33701",
"datePublished": "2021-09-15T18:01:55",
"dateReserved": "2021-05-28T00:00:00",
"dateUpdated": "2024-08-03T23:58:22.494Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-0245 (GCVE-0-2019-0245)
Vulnerability from nvd – Published: 2019-01-08 20:00 – Updated: 2024-08-04 17:44
VLAI?
Summary
SAP CRM WebClient UI (fixed in SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
Severity ?
No CVSS data available.
CWE
- Cross-Site Scripting
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| SAP SE | SAP CRM WebClient UI (SAPSCORE) |
Affected:
< 1.12
|
||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:44:15.952Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/2588763"
},
{
"name": "106468",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/106468"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP CRM WebClient UI (SAPSCORE)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 1.12"
}
]
},
{
"product": "SAP CRM WebClient UI (S4FND)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 1.02"
}
]
},
{
"product": "SAP CRM WebClient UI (WEBCUIF)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 7.31"
},
{
"status": "affected",
"version": "\u003c 7.46"
},
{
"status": "affected",
"version": "\u003c 7.47"
},
{
"status": "affected",
"version": "\u003c 7.48"
},
{
"status": "affected",
"version": "\u003c 8.0"
},
{
"status": "affected",
"version": "\u003c 8.01"
}
]
}
],
"datePublic": "2019-01-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SAP CRM WebClient UI (fixed in SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-01-09T10:57:01",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.support.sap.com/#/notes/2588763"
},
{
"name": "106468",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/106468"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2019-0245",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP CRM WebClient UI (SAPSCORE)",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "1.12"
}
]
}
},
{
"product_name": "SAP CRM WebClient UI (S4FND)",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "1.02"
}
]
}
},
{
"product_name": "SAP CRM WebClient UI (WEBCUIF)",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "7.31"
},
{
"version_name": "\u003c",
"version_value": "7.46"
},
{
"version_name": "\u003c",
"version_value": "7.47"
},
{
"version_name": "\u003c",
"version_value": "7.48"
},
{
"version_name": "\u003c",
"version_value": "8.0"
},
{
"version_name": "\u003c",
"version_value": "8.01"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SAP CRM WebClient UI (fixed in SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://launchpad.support.sap.com/#/notes/2588763",
"refsource": "MISC",
"url": "https://launchpad.support.sap.com/#/notes/2588763"
},
{
"name": "106468",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/106468"
},
{
"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985",
"refsource": "MISC",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2019-0245",
"datePublished": "2019-01-08T20:00:00",
"dateReserved": "2018-11-26T00:00:00",
"dateUpdated": "2024-08-04T17:44:15.952Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-0244 (GCVE-0-2019-0244)
Vulnerability from nvd – Published: 2019-01-08 20:00 – Updated: 2024-08-04 17:44
VLAI?
Summary
SAP CRM WebClient UI (fixed in SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
Severity ?
No CVSS data available.
CWE
- Cross-Site Scripting
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| SAP SE | SAP CRM WebClient UI (SAPSCORE) |
Affected:
< 1.12
|
||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:44:16.026Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/2588763"
},
{
"name": "106473",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/106473"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP CRM WebClient UI (SAPSCORE)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 1.12"
}
]
},
{
"product": "SAP CRM WebClient UI (S4FND)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 1.02"
}
]
},
{
"product": "SAP CRM WebClient UI (WEBCUIF)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 7.31"
},
{
"status": "affected",
"version": "\u003c 7.46"
},
{
"status": "affected",
"version": "\u003c 7.47"
},
{
"status": "affected",
"version": "\u003c 7.48"
},
{
"status": "affected",
"version": "\u003c 8.0"
},
{
"status": "affected",
"version": "\u003c 8.01"
}
]
}
],
"datePublic": "2019-01-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SAP CRM WebClient UI (fixed in SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-01-09T10:57:01",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.support.sap.com/#/notes/2588763"
},
{
"name": "106473",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/106473"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2019-0244",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP CRM WebClient UI (SAPSCORE)",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "1.12"
}
]
}
},
{
"product_name": "SAP CRM WebClient UI (S4FND)",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "1.02"
}
]
}
},
{
"product_name": "SAP CRM WebClient UI (WEBCUIF)",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "7.31"
},
{
"version_name": "\u003c",
"version_value": "7.46"
},
{
"version_name": "\u003c",
"version_value": "7.47"
},
{
"version_name": "\u003c",
"version_value": "7.48"
},
{
"version_name": "\u003c",
"version_value": "8.0"
},
{
"version_name": "\u003c",
"version_value": "8.01"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SAP CRM WebClient UI (fixed in SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://launchpad.support.sap.com/#/notes/2588763",
"refsource": "MISC",
"url": "https://launchpad.support.sap.com/#/notes/2588763"
},
{
"name": "106473",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/106473"
},
{
"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985",
"refsource": "MISC",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2019-0244",
"datePublished": "2019-01-08T20:00:00",
"dateReserved": "2018-11-26T00:00:00",
"dateUpdated": "2024-08-04T17:44:16.026Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-2484 (GCVE-0-2018-2484)
Vulnerability from nvd – Published: 2019-01-08 20:00 – Updated: 2024-08-05 04:21
VLAI?
Summary
SAP Enterprise Financial Services (fixed in SAPSCORE 1.13, 1.14, 1.15; S4CORE 1.01, 1.02, 1.03; EA-FINSERV 1.10, 2.0, 5.0, 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0; Bank/CFM 4.63_20) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.
Severity ?
No CVSS data available.
CWE
- Missing Authorization Check
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| SAP SE | SAP Enterprise Financial Services (SAPSCORE) |
Affected:
< 1.13
Affected: < 1.14 Affected: < 1.15 |
|||||||||||||||||
|
|||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T04:21:33.945Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/2662687"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985"
},
{
"name": "106477",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/106477"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP Enterprise Financial Services (SAPSCORE)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 1.13"
},
{
"status": "affected",
"version": "\u003c 1.14"
},
{
"status": "affected",
"version": "\u003c 1.15"
}
]
},
{
"product": "SAP Enterprise Financial Services (S4CORE)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 1.01"
},
{
"status": "affected",
"version": "\u003c 1.02"
},
{
"status": "affected",
"version": "\u003c 1.03"
}
]
},
{
"product": "SAP Enterprise Financial Services (EA-FINSERV)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 1.10"
},
{
"status": "affected",
"version": "\u003c 2.0"
},
{
"status": "affected",
"version": "\u003c 5.0"
},
{
"status": "affected",
"version": "\u003c 6.0"
},
{
"status": "affected",
"version": "\u003c 6.03"
},
{
"status": "affected",
"version": "\u003c 6.04"
},
{
"status": "affected",
"version": "\u003c 6.05"
},
{
"status": "affected",
"version": "\u003c 6.06"
},
{
"status": "affected",
"version": "\u003c 6.16"
},
{
"status": "affected",
"version": "\u003c 6.17"
},
{
"status": "affected",
"version": "\u003c 6.18"
},
{
"status": "affected",
"version": "\u003c 8.0"
}
]
},
{
"product": "SAP Enterprise Financial Services (Bank/CFM)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 4.63_20"
}
]
}
],
"datePublic": "2019-01-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SAP Enterprise Financial Services (fixed in SAPSCORE 1.13, 1.14, 1.15; S4CORE 1.01, 1.02, 1.03; EA-FINSERV 1.10, 2.0, 5.0, 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0; Bank/CFM 4.63_20) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Missing Authorization Check",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-01-09T10:57:01",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.support.sap.com/#/notes/2662687"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985"
},
{
"name": "106477",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/106477"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2018-2484",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP Enterprise Financial Services (SAPSCORE)",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "1.13"
},
{
"version_name": "\u003c",
"version_value": "1.14"
},
{
"version_name": "\u003c",
"version_value": "1.15"
}
]
}
},
{
"product_name": "SAP Enterprise Financial Services (S4CORE)",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "1.01"
},
{
"version_name": "\u003c",
"version_value": "1.02"
},
{
"version_name": "\u003c",
"version_value": "1.03"
}
]
}
},
{
"product_name": "SAP Enterprise Financial Services (EA-FINSERV)",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "1.10"
},
{
"version_name": "\u003c",
"version_value": "2.0"
},
{
"version_name": "\u003c",
"version_value": "5.0"
},
{
"version_name": "\u003c",
"version_value": "6.0"
},
{
"version_name": "\u003c",
"version_value": "6.03"
},
{
"version_name": "\u003c",
"version_value": "6.04"
},
{
"version_name": "\u003c",
"version_value": "6.05"
},
{
"version_name": "\u003c",
"version_value": "6.06"
},
{
"version_name": "\u003c",
"version_value": "6.16"
},
{
"version_name": "\u003c",
"version_value": "6.17"
},
{
"version_name": "\u003c",
"version_value": "6.18"
},
{
"version_name": "\u003c",
"version_value": "8.0"
}
]
}
},
{
"product_name": "SAP Enterprise Financial Services (Bank/CFM)",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "4.63_20"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SAP Enterprise Financial Services (fixed in SAPSCORE 1.13, 1.14, 1.15; S4CORE 1.01, 1.02, 1.03; EA-FINSERV 1.10, 2.0, 5.0, 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0; Bank/CFM 4.63_20) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Missing Authorization Check"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://launchpad.support.sap.com/#/notes/2662687",
"refsource": "MISC",
"url": "https://launchpad.support.sap.com/#/notes/2662687"
},
{
"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985",
"refsource": "MISC",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985"
},
{
"name": "106477",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/106477"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2018-2484",
"datePublished": "2019-01-08T20:00:00",
"dateReserved": "2017-12-15T00:00:00",
"dateUpdated": "2024-08-05T04:21:33.945Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-2419 (GCVE-0-2018-2419)
Vulnerability from nvd – Published: 2018-05-09 20:00 – Updated: 2024-08-05 04:21
VLAI?
Summary
SAP Enterprise Financial Services (SAPSCORE 1.11, 1.12; S4CORE 1.01, 1.02; EA-FINSERV 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.
Severity ?
CWE
- Missing Authorization Check
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| SAP SE | SAP Enterprise Financial Services (SAPSCORE) |
Affected:
1.11
Affected: 1.12 |
||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T04:21:33.627Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://blogs.sap.com/2018/05/08/sap-security-patch-day-may-2018/"
},
{
"name": "104116",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/104116"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/2596627"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP Enterprise Financial Services (SAPSCORE)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "1.11"
},
{
"status": "affected",
"version": "1.12"
}
]
},
{
"product": "SAP Enterprise Financial Services (S4CORE)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "1.01"
},
{
"status": "affected",
"version": "1.02"
}
]
},
{
"product": "SAP Enterprise Financial Services (EA-FINSERV)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "6.04"
},
{
"status": "affected",
"version": "6.05"
},
{
"status": "affected",
"version": "6.06"
},
{
"status": "affected",
"version": "6.16"
},
{
"status": "affected",
"version": "6.17"
},
{
"status": "affected",
"version": "6.18"
},
{
"status": "affected",
"version": "8.0"
}
]
}
],
"datePublic": "2018-05-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SAP Enterprise Financial Services (SAPSCORE 1.11, 1.12; S4CORE 1.01, 1.02; EA-FINSERV 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Missing Authorization Check",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-05-10T09:57:01",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://blogs.sap.com/2018/05/08/sap-security-patch-day-may-2018/"
},
{
"name": "104116",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/104116"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.support.sap.com/#/notes/2596627"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2018-2419",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP Enterprise Financial Services (SAPSCORE)",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "1.11"
},
{
"version_affected": "=",
"version_value": "1.12"
}
]
}
},
{
"product_name": "SAP Enterprise Financial Services (S4CORE)",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "1.01"
},
{
"version_affected": "=",
"version_value": "1.02"
}
]
}
},
{
"product_name": "SAP Enterprise Financial Services (EA-FINSERV)",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "6.04"
},
{
"version_affected": "=",
"version_value": "6.05"
},
{
"version_affected": "=",
"version_value": "6.06"
},
{
"version_affected": "=",
"version_value": "6.16"
},
{
"version_affected": "=",
"version_value": "6.17"
},
{
"version_affected": "=",
"version_value": "6.18"
},
{
"version_affected": "=",
"version_value": "8.0"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SAP Enterprise Financial Services (SAPSCORE 1.11, 1.12; S4CORE 1.01, 1.02; EA-FINSERV 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Missing Authorization Check"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blogs.sap.com/2018/05/08/sap-security-patch-day-may-2018/",
"refsource": "CONFIRM",
"url": "https://blogs.sap.com/2018/05/08/sap-security-patch-day-may-2018/"
},
{
"name": "104116",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/104116"
},
{
"name": "https://launchpad.support.sap.com/#/notes/2596627",
"refsource": "MISC",
"url": "https://launchpad.support.sap.com/#/notes/2596627"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2018-2419",
"datePublished": "2018-05-09T20:00:00",
"dateReserved": "2017-12-15T00:00:00",
"dateUpdated": "2024-08-05T04:21:33.627Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}