{"vulnerability": "cve-2023-2452", "sightings": [{"uuid": "7f39301d-6134-49e3-8367-c774623a65a3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-24526", "type": "seen", "source": "https://t.me/DarkWebInformer_CVEAlerts/5734", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2023-24526\n\ud83d\udd25 CVSS Score: 5.3 (cvssV3_1, Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\ud83d\udd39 Description: SAP NetWeaver Application Server Java for Classload Service - version 7.50, does not perform any authentication checks for functionalities that require user identity, resulting in escalation of privileges. This failure has a low impact on confidentiality of the data such that an unassigned user can read non-sensitive server data.\n\n\n\ud83d\udccf Published: 2023-03-14T04:38:03.702Z\n\ud83d\udccf Modified: 2025-02-27T18:15:15.151Z\n\ud83d\udd17 References:\n1. https://launchpad.support.sap.com/#/notes/3288394\n2. https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", "creation_timestamp": "2025-02-27T18:26:50.000000Z"}, {"uuid": "9e37755a-3717-4d77-a112-a07eebb356fe", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-24521", "type": "seen", "source": "https://t.me/DarkWebInformer_CVEAlerts/8336", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2023-24521\n\ud83d\udd25 CVSS Score: 6.1 (cvssV3_1, Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n\ud83d\udd39 Description: Due to insufficient input sanitization, SAP NetWeaver AS ABAP (BSP Framework) - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, allows an unauthenticated user to alter the current session of the user by injecting the malicious code over the network and gain access to the unintended data. This may lead to a limited impact on the confidentiality and the integrity of the application.\n\n\n\ud83d\udccf Published: 2023-02-14T03:16:44.948Z\n\ud83d\udccf Modified: 2025-03-21T14:03:26.159Z\n\ud83d\udd17 References:\n1. https://launchpad.support.sap.com/#/notes/3269151\n2. https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", "creation_timestamp": "2025-03-21T14:19:07.000000Z"}, {"uuid": "ec52b42b-7002-4815-9b2d-6c7524379bfc", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-24526", "type": "seen", "source": "https://t.me/cibsecurity/59949", "content": "\u203c CVE-2023-24526 \u203c\n\nSAP NetWeaver Application Server Java for Classload Service - version 7.50, does not perform any authentication checks for functionalities that require user identity, resulting in escalation of privileges. This failure has a low impact on confidentiality of the data such that an unassigned user can read non-sensitive server data.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-03-14T12:54:08.000000Z"}, {"uuid": "bd5bafb0-e0de-44ed-a51c-531726d9aab6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-24529", "type": "seen", "source": "https://t.me/cibsecurity/58062", "content": "\u203c CVE-2023-24529 \u203c\n\nDue to lack of proper input validation, BSP application (CRM_BSP_FRAME) - versions 700, 701, 702, 731, 740, 750, 751, 752, 75C, 75D, 75E, 75F, 75G, 75H, allow malicious inputs from untrusted sources, which can be leveraged by an attacker to execute a Reflected Cross-Site Scripting (XSS) attack. As a result, an attacker may be able to hijack a user session, read and modify some sensitive information.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-02-14T07:30:38.000000Z"}, {"uuid": "2b4241fb-561f-4d8a-82da-c88bf41be2a6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-24524", "type": "seen", "source": "https://t.me/cibsecurity/58055", "content": "\u203c CVE-2023-24524 \u203c\n\nSAP S/4 HANA Map Treasury Correspondence Format Data does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges. This could allow an attacker to delete the data with a high impact to availability.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-02-14T07:30:27.000000Z"}, {"uuid": "a79f913a-2ab6-4fba-9cd1-ab82999eab2d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-24528", "type": "seen", "source": "https://t.me/cibsecurity/58051", "content": "\u203c CVE-2023-24528 \u203c\n\nSAP Fiori apps for Travel Management in SAP ERP (My Travel Requests) - version 600, allows an authenticated attacker to exploit a certain misconfigured application endpoint to view sensitive data. This endpoint is normally exposed over the network and successful exploitation can lead to exposure of data like travel documents.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-02-14T07:30:20.000000Z"}, {"uuid": "706db85a-3943-4f7e-a057-19a3386772de", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-24523", "type": "seen", "source": "https://t.me/cibsecurity/58050", "content": "\u203c CVE-2023-24523 \u203c\n\nAn attacker authenticated as a non-admin user with local access to a server port assigned to the SAP Host Agent (Start Service) - versions 7.21, 7.22, can submit a crafted ConfigureOutsideDiscovery request with an operating system command which will be executed with administrator privileges. The OS command can read or modify any user or system data and can make the system unavailable.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-02-14T07:30:20.000000Z"}, {"uuid": "52677a14-8a78-4861-a36f-123a5dd91655", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-24525", "type": "seen", "source": "https://t.me/cibsecurity/58053", "content": "\u203c CVE-2023-24525 \u203c\n\nSAP CRM WebClient UI - versions WEBCUIF 748, 800, 801, S4FND 102, 103, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. On successful exploitation an authenticated attacker can cause limited impact on confidentiality of the application.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-02-14T07:30:26.000000Z"}]}