Action not permitted
Modal body text goes here.
Modal Title
Modal Body
WID-SEC-W-2023-0356
Vulnerability from csaf_certbund
Published
2023-02-13 23:00
Modified
2023-02-13 23:00
Summary
SAP Software: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
SAP stellt unternehmensweite Lösungen für Geschäftsprozesse wie Buchführung, Vertrieb, Einkauf und Lagerhaltung zur Verfügung.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in SAP Software ausnutzen, um die Vertraulichkeit Integrität und die Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme
- UNIX
- Linux
- MacOS X
- Windows
- Sonstiges
{ document: { aggregate_severity: { text: "hoch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "SAP stellt unternehmensweite Lösungen für Geschäftsprozesse wie Buchführung, Vertrieb, Einkauf und Lagerhaltung zur Verfügung.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in SAP Software ausnutzen, um die Vertraulichkeit Integrität und die Verfügbarkeit zu gefährden.", title: "Angriff", }, { category: "general", text: "- UNIX\n- Linux\n- MacOS X\n- Windows\n- Sonstiges", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2023-0356 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-0356.json", }, { category: "self", summary: "WID-SEC-2023-0356 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-0356", }, { category: "external", summary: "SAP Patchday Februar 2023 vom 2023-02-13", url: "https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10", }, ], source_lang: "en-US", title: "SAP Software: Mehrere Schwachstellen", tracking: { current_release_date: "2023-02-13T23:00:00.000+00:00", generator: { date: "2024-08-15T17:43:30.138+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2023-0356", initial_release_date: "2023-02-13T23:00:00.000+00:00", revision_history: [ { date: "2023-02-13T23:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { category: "product_name", name: "SAP Software", product: { name: "SAP Software", product_id: "T016476", product_identification_helper: { cpe: "cpe:/a:sap:sap:-", }, }, }, ], category: "vendor", name: "SAP", }, ], }, vulnerabilities: [ { cve: "CVE-2023-25614", notes: [ { category: "description", text: "In den folgenden SAP-Anwendungskomponenten bestehen mehrere Schwachstellen: SAP Business Client, SAP Host Agent Service, SAP BASIS, SAP BusinessObjects Business Intelligence platform, SAP Business Planning and Consolidation, SAP Solution Manager, SAP GRC Process Control application, SAP Fiori apps, SAP S/4 HANA, SAP NetWeaver AS for ABAP, SAP NetWeaver AS for Java und SAP CRM. Beschreibungen und Updates für diese Schwachstellen finden Sie in den SAP-Sicherheitshinweisen. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit Integrität und die Verfügbarkeit zu gefährden. Um einige dieser Schwachstellen auszunutzen, sind Benutzerinteraktion oder privilegierte Rechte erforderlich.", }, ], product_status: { known_affected: [ "T016476", ], }, release_date: "2023-02-13T23:00:00.000+00:00", title: "CVE-2023-25614", }, { cve: "CVE-2023-24530", notes: [ { category: "description", text: "In den folgenden SAP-Anwendungskomponenten bestehen mehrere Schwachstellen: SAP Business Client, SAP Host Agent Service, SAP BASIS, SAP BusinessObjects Business Intelligence platform, SAP Business Planning and Consolidation, SAP Solution Manager, SAP GRC Process Control application, SAP Fiori apps, SAP S/4 HANA, SAP NetWeaver AS for ABAP, SAP NetWeaver AS for Java und SAP CRM. Beschreibungen und Updates für diese Schwachstellen finden Sie in den SAP-Sicherheitshinweisen. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit Integrität und die Verfügbarkeit zu gefährden. Um einige dieser Schwachstellen auszunutzen, sind Benutzerinteraktion oder privilegierte Rechte erforderlich.", }, ], product_status: { known_affected: [ "T016476", ], }, release_date: "2023-02-13T23:00:00.000+00:00", title: "CVE-2023-24530", }, { cve: "CVE-2023-24529", notes: [ { category: "description", text: "In den folgenden SAP-Anwendungskomponenten bestehen mehrere Schwachstellen: SAP Business Client, SAP Host Agent Service, SAP BASIS, SAP BusinessObjects Business Intelligence platform, SAP Business Planning and Consolidation, SAP Solution Manager, SAP GRC Process Control application, SAP Fiori apps, SAP S/4 HANA, SAP NetWeaver AS for ABAP, SAP NetWeaver AS for Java und SAP CRM. Beschreibungen und Updates für diese Schwachstellen finden Sie in den SAP-Sicherheitshinweisen. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit Integrität und die Verfügbarkeit zu gefährden. Um einige dieser Schwachstellen auszunutzen, sind Benutzerinteraktion oder privilegierte Rechte erforderlich.", }, ], product_status: { known_affected: [ "T016476", ], }, release_date: "2023-02-13T23:00:00.000+00:00", title: "CVE-2023-24529", }, { cve: "CVE-2023-24528", notes: [ { category: "description", text: "In den folgenden SAP-Anwendungskomponenten bestehen mehrere Schwachstellen: SAP Business Client, SAP Host Agent Service, SAP BASIS, SAP BusinessObjects Business Intelligence platform, SAP Business Planning and Consolidation, SAP Solution Manager, SAP GRC Process Control application, SAP Fiori apps, SAP S/4 HANA, SAP NetWeaver AS for ABAP, SAP NetWeaver AS for Java und SAP CRM. Beschreibungen und Updates für diese Schwachstellen finden Sie in den SAP-Sicherheitshinweisen. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit Integrität und die Verfügbarkeit zu gefährden. Um einige dieser Schwachstellen auszunutzen, sind Benutzerinteraktion oder privilegierte Rechte erforderlich.", }, ], product_status: { known_affected: [ "T016476", ], }, release_date: "2023-02-13T23:00:00.000+00:00", title: "CVE-2023-24528", }, { cve: "CVE-2023-24525", notes: [ { category: "description", text: "In den folgenden SAP-Anwendungskomponenten bestehen mehrere Schwachstellen: SAP Business Client, SAP Host Agent Service, SAP BASIS, SAP BusinessObjects Business Intelligence platform, SAP Business Planning and Consolidation, SAP Solution Manager, SAP GRC Process Control application, SAP Fiori apps, SAP S/4 HANA, SAP NetWeaver AS for ABAP, SAP NetWeaver AS for Java und SAP CRM. Beschreibungen und Updates für diese Schwachstellen finden Sie in den SAP-Sicherheitshinweisen. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit Integrität und die Verfügbarkeit zu gefährden. Um einige dieser Schwachstellen auszunutzen, sind Benutzerinteraktion oder privilegierte Rechte erforderlich.", }, ], product_status: { known_affected: [ "T016476", ], }, release_date: "2023-02-13T23:00:00.000+00:00", title: "CVE-2023-24525", }, { cve: "CVE-2023-24524", notes: [ { category: "description", text: "In den folgenden SAP-Anwendungskomponenten bestehen mehrere Schwachstellen: SAP Business Client, SAP Host Agent Service, SAP BASIS, SAP BusinessObjects Business Intelligence platform, SAP Business Planning and Consolidation, SAP Solution Manager, SAP GRC Process Control application, SAP Fiori apps, SAP S/4 HANA, SAP NetWeaver AS for ABAP, SAP NetWeaver AS for Java und SAP CRM. Beschreibungen und Updates für diese Schwachstellen finden Sie in den SAP-Sicherheitshinweisen. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit Integrität und die Verfügbarkeit zu gefährden. Um einige dieser Schwachstellen auszunutzen, sind Benutzerinteraktion oder privilegierte Rechte erforderlich.", }, ], product_status: { known_affected: [ "T016476", ], }, release_date: "2023-02-13T23:00:00.000+00:00", title: "CVE-2023-24524", }, { cve: "CVE-2023-24523", notes: [ { category: "description", text: "In den folgenden SAP-Anwendungskomponenten bestehen mehrere Schwachstellen: SAP Business Client, SAP Host Agent Service, SAP BASIS, SAP BusinessObjects Business Intelligence platform, SAP Business Planning and Consolidation, SAP Solution Manager, SAP GRC Process Control application, SAP Fiori apps, SAP S/4 HANA, SAP NetWeaver AS for ABAP, SAP NetWeaver AS for Java und SAP CRM. Beschreibungen und Updates für diese Schwachstellen finden Sie in den SAP-Sicherheitshinweisen. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit Integrität und die Verfügbarkeit zu gefährden. Um einige dieser Schwachstellen auszunutzen, sind Benutzerinteraktion oder privilegierte Rechte erforderlich.", }, ], product_status: { known_affected: [ "T016476", ], }, release_date: "2023-02-13T23:00:00.000+00:00", title: "CVE-2023-24523", }, { cve: "CVE-2023-24522", notes: [ { category: "description", text: "In den folgenden SAP-Anwendungskomponenten bestehen mehrere Schwachstellen: SAP Business Client, SAP Host Agent Service, SAP BASIS, SAP BusinessObjects Business Intelligence platform, SAP Business Planning and Consolidation, SAP Solution Manager, SAP GRC Process Control application, SAP Fiori apps, SAP S/4 HANA, SAP NetWeaver AS for ABAP, SAP NetWeaver AS for Java und SAP CRM. Beschreibungen und Updates für diese Schwachstellen finden Sie in den SAP-Sicherheitshinweisen. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit Integrität und die Verfügbarkeit zu gefährden. Um einige dieser Schwachstellen auszunutzen, sind Benutzerinteraktion oder privilegierte Rechte erforderlich.", }, ], product_status: { known_affected: [ "T016476", ], }, release_date: "2023-02-13T23:00:00.000+00:00", title: "CVE-2023-24522", }, { cve: "CVE-2023-24521", notes: [ { category: "description", text: "In den folgenden SAP-Anwendungskomponenten bestehen mehrere Schwachstellen: SAP Business Client, SAP Host Agent Service, SAP BASIS, SAP BusinessObjects Business Intelligence platform, SAP Business Planning and Consolidation, SAP Solution Manager, SAP GRC Process Control application, SAP Fiori apps, SAP S/4 HANA, SAP NetWeaver AS for ABAP, SAP NetWeaver AS for Java und SAP CRM. Beschreibungen und Updates für diese Schwachstellen finden Sie in den SAP-Sicherheitshinweisen. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit Integrität und die Verfügbarkeit zu gefährden. Um einige dieser Schwachstellen auszunutzen, sind Benutzerinteraktion oder privilegierte Rechte erforderlich.", }, ], product_status: { known_affected: [ "T016476", ], }, release_date: "2023-02-13T23:00:00.000+00:00", title: "CVE-2023-24521", }, { cve: "CVE-2023-23860", notes: [ { category: "description", text: "In den folgenden SAP-Anwendungskomponenten bestehen mehrere Schwachstellen: SAP Business Client, SAP Host Agent Service, SAP BASIS, SAP BusinessObjects Business Intelligence platform, SAP Business Planning and Consolidation, SAP Solution Manager, SAP GRC Process Control application, SAP Fiori apps, SAP S/4 HANA, SAP NetWeaver AS for ABAP, SAP NetWeaver AS for Java und SAP CRM. Beschreibungen und Updates für diese Schwachstellen finden Sie in den SAP-Sicherheitshinweisen. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit Integrität und die Verfügbarkeit zu gefährden. Um einige dieser Schwachstellen auszunutzen, sind Benutzerinteraktion oder privilegierte Rechte erforderlich.", }, ], product_status: { known_affected: [ "T016476", ], }, release_date: "2023-02-13T23:00:00.000+00:00", title: "CVE-2023-23860", }, { cve: "CVE-2023-23859", notes: [ { category: "description", text: "In den folgenden SAP-Anwendungskomponenten bestehen mehrere Schwachstellen: SAP Business Client, SAP Host Agent Service, SAP BASIS, SAP BusinessObjects Business Intelligence platform, SAP Business Planning and Consolidation, SAP Solution Manager, SAP GRC Process Control application, SAP Fiori apps, SAP S/4 HANA, SAP NetWeaver AS for ABAP, SAP NetWeaver AS for Java und SAP CRM. Beschreibungen und Updates für diese Schwachstellen finden Sie in den SAP-Sicherheitshinweisen. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit Integrität und die Verfügbarkeit zu gefährden. Um einige dieser Schwachstellen auszunutzen, sind Benutzerinteraktion oder privilegierte Rechte erforderlich.", }, ], product_status: { known_affected: [ "T016476", ], }, release_date: "2023-02-13T23:00:00.000+00:00", title: "CVE-2023-23859", }, { cve: "CVE-2023-23858", notes: [ { category: "description", text: "In den folgenden SAP-Anwendungskomponenten bestehen mehrere Schwachstellen: SAP Business Client, SAP Host Agent Service, SAP BASIS, SAP BusinessObjects Business Intelligence platform, SAP Business Planning and Consolidation, SAP Solution Manager, SAP GRC Process Control application, SAP Fiori apps, SAP S/4 HANA, SAP NetWeaver AS for ABAP, SAP NetWeaver AS for Java und SAP CRM. Beschreibungen und Updates für diese Schwachstellen finden Sie in den SAP-Sicherheitshinweisen. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit Integrität und die Verfügbarkeit zu gefährden. Um einige dieser Schwachstellen auszunutzen, sind Benutzerinteraktion oder privilegierte Rechte erforderlich.", }, ], product_status: { known_affected: [ "T016476", ], }, release_date: "2023-02-13T23:00:00.000+00:00", title: "CVE-2023-23858", }, { cve: "CVE-2023-23856", notes: [ { category: "description", text: "In den folgenden SAP-Anwendungskomponenten bestehen mehrere Schwachstellen: SAP Business Client, SAP Host Agent Service, SAP BASIS, SAP BusinessObjects Business Intelligence platform, SAP Business Planning and Consolidation, SAP Solution Manager, SAP GRC Process Control application, SAP Fiori apps, SAP S/4 HANA, SAP NetWeaver AS for ABAP, SAP NetWeaver AS for Java und SAP CRM. Beschreibungen und Updates für diese Schwachstellen finden Sie in den SAP-Sicherheitshinweisen. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit Integrität und die Verfügbarkeit zu gefährden. Um einige dieser Schwachstellen auszunutzen, sind Benutzerinteraktion oder privilegierte Rechte erforderlich.", }, ], product_status: { known_affected: [ "T016476", ], }, release_date: "2023-02-13T23:00:00.000+00:00", title: "CVE-2023-23856", }, { cve: "CVE-2023-23855", notes: [ { category: "description", text: "In den folgenden SAP-Anwendungskomponenten bestehen mehrere Schwachstellen: SAP Business Client, SAP Host Agent Service, SAP BASIS, SAP BusinessObjects Business Intelligence platform, SAP Business Planning and Consolidation, SAP Solution Manager, SAP GRC Process Control application, SAP Fiori apps, SAP S/4 HANA, SAP NetWeaver AS for ABAP, SAP NetWeaver AS for Java und SAP CRM. Beschreibungen und Updates für diese Schwachstellen finden Sie in den SAP-Sicherheitshinweisen. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit Integrität und die Verfügbarkeit zu gefährden. Um einige dieser Schwachstellen auszunutzen, sind Benutzerinteraktion oder privilegierte Rechte erforderlich.", }, ], product_status: { known_affected: [ "T016476", ], }, release_date: "2023-02-13T23:00:00.000+00:00", title: "CVE-2023-23855", }, { cve: "CVE-2023-23854", notes: [ { category: "description", text: "In den folgenden SAP-Anwendungskomponenten bestehen mehrere Schwachstellen: SAP Business Client, SAP Host Agent Service, SAP BASIS, SAP BusinessObjects Business Intelligence platform, SAP Business Planning and Consolidation, SAP Solution Manager, SAP GRC Process Control application, SAP Fiori apps, SAP S/4 HANA, SAP NetWeaver AS for ABAP, SAP NetWeaver AS for Java und SAP CRM. Beschreibungen und Updates für diese Schwachstellen finden Sie in den SAP-Sicherheitshinweisen. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit Integrität und die Verfügbarkeit zu gefährden. Um einige dieser Schwachstellen auszunutzen, sind Benutzerinteraktion oder privilegierte Rechte erforderlich.", }, ], product_status: { known_affected: [ "T016476", ], }, release_date: "2023-02-13T23:00:00.000+00:00", title: "CVE-2023-23854", }, { cve: "CVE-2023-23853", notes: [ { category: "description", text: "In den folgenden SAP-Anwendungskomponenten bestehen mehrere Schwachstellen: SAP Business Client, SAP Host Agent Service, SAP BASIS, SAP BusinessObjects Business Intelligence platform, SAP Business Planning and Consolidation, SAP Solution Manager, SAP GRC Process Control application, SAP Fiori apps, SAP S/4 HANA, SAP NetWeaver AS for ABAP, SAP NetWeaver AS for Java und SAP CRM. Beschreibungen und Updates für diese Schwachstellen finden Sie in den SAP-Sicherheitshinweisen. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit Integrität und die Verfügbarkeit zu gefährden. Um einige dieser Schwachstellen auszunutzen, sind Benutzerinteraktion oder privilegierte Rechte erforderlich.", }, ], product_status: { known_affected: [ "T016476", ], }, release_date: "2023-02-13T23:00:00.000+00:00", title: "CVE-2023-23853", }, { cve: "CVE-2023-23852", notes: [ { category: "description", text: "In den folgenden SAP-Anwendungskomponenten bestehen mehrere Schwachstellen: SAP Business Client, SAP Host Agent Service, SAP BASIS, SAP BusinessObjects Business Intelligence platform, SAP Business Planning and Consolidation, SAP Solution Manager, SAP GRC Process Control application, SAP Fiori apps, SAP S/4 HANA, SAP NetWeaver AS for ABAP, SAP NetWeaver AS for Java und SAP CRM. Beschreibungen und Updates für diese Schwachstellen finden Sie in den SAP-Sicherheitshinweisen. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit Integrität und die Verfügbarkeit zu gefährden. Um einige dieser Schwachstellen auszunutzen, sind Benutzerinteraktion oder privilegierte Rechte erforderlich.", }, ], product_status: { known_affected: [ "T016476", ], }, release_date: "2023-02-13T23:00:00.000+00:00", title: "CVE-2023-23852", }, { cve: "CVE-2023-23851", notes: [ { category: "description", text: "In den folgenden SAP-Anwendungskomponenten bestehen mehrere Schwachstellen: SAP Business Client, SAP Host Agent Service, SAP BASIS, SAP BusinessObjects Business Intelligence platform, SAP Business Planning and Consolidation, SAP Solution Manager, SAP GRC Process Control application, SAP Fiori apps, SAP S/4 HANA, SAP NetWeaver AS for ABAP, SAP NetWeaver AS for Java und SAP CRM. Beschreibungen und Updates für diese Schwachstellen finden Sie in den SAP-Sicherheitshinweisen. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit Integrität und die Verfügbarkeit zu gefährden. Um einige dieser Schwachstellen auszunutzen, sind Benutzerinteraktion oder privilegierte Rechte erforderlich.", }, ], product_status: { known_affected: [ "T016476", ], }, release_date: "2023-02-13T23:00:00.000+00:00", title: "CVE-2023-23851", }, { cve: "CVE-2023-0025", notes: [ { category: "description", text: "In den folgenden SAP-Anwendungskomponenten bestehen mehrere Schwachstellen: SAP Business Client, SAP Host Agent Service, SAP BASIS, SAP BusinessObjects Business Intelligence platform, SAP Business Planning and Consolidation, SAP Solution Manager, SAP GRC Process Control application, SAP Fiori apps, SAP S/4 HANA, SAP NetWeaver AS for ABAP, SAP NetWeaver AS for Java und SAP CRM. Beschreibungen und Updates für diese Schwachstellen finden Sie in den SAP-Sicherheitshinweisen. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit Integrität und die Verfügbarkeit zu gefährden. Um einige dieser Schwachstellen auszunutzen, sind Benutzerinteraktion oder privilegierte Rechte erforderlich.", }, ], product_status: { known_affected: [ "T016476", ], }, release_date: "2023-02-13T23:00:00.000+00:00", title: "CVE-2023-0025", }, { cve: "CVE-2023-0024", notes: [ { category: "description", text: "In den folgenden SAP-Anwendungskomponenten bestehen mehrere Schwachstellen: SAP Business Client, SAP Host Agent Service, SAP BASIS, SAP BusinessObjects Business Intelligence platform, SAP Business Planning and Consolidation, SAP Solution Manager, SAP GRC Process Control application, SAP Fiori apps, SAP S/4 HANA, SAP NetWeaver AS for ABAP, SAP NetWeaver AS for Java und SAP CRM. Beschreibungen und Updates für diese Schwachstellen finden Sie in den SAP-Sicherheitshinweisen. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit Integrität und die Verfügbarkeit zu gefährden. Um einige dieser Schwachstellen auszunutzen, sind Benutzerinteraktion oder privilegierte Rechte erforderlich.", }, ], product_status: { known_affected: [ "T016476", ], }, release_date: "2023-02-13T23:00:00.000+00:00", title: "CVE-2023-0024", }, { cve: "CVE-2023-0020", notes: [ { category: "description", text: "In den folgenden SAP-Anwendungskomponenten bestehen mehrere Schwachstellen: SAP Business Client, SAP Host Agent Service, SAP BASIS, SAP BusinessObjects Business Intelligence platform, SAP Business Planning and Consolidation, SAP Solution Manager, SAP GRC Process Control application, SAP Fiori apps, SAP S/4 HANA, SAP NetWeaver AS for ABAP, SAP NetWeaver AS for Java und SAP CRM. Beschreibungen und Updates für diese Schwachstellen finden Sie in den SAP-Sicherheitshinweisen. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit Integrität und die Verfügbarkeit zu gefährden. Um einige dieser Schwachstellen auszunutzen, sind Benutzerinteraktion oder privilegierte Rechte erforderlich.", }, ], product_status: { known_affected: [ "T016476", ], }, release_date: "2023-02-13T23:00:00.000+00:00", title: "CVE-2023-0020", }, { cve: "CVE-2023-0019", notes: [ { category: "description", text: "In den folgenden SAP-Anwendungskomponenten bestehen mehrere Schwachstellen: SAP Business Client, SAP Host Agent Service, SAP BASIS, SAP BusinessObjects Business Intelligence platform, SAP Business Planning and Consolidation, SAP Solution Manager, SAP GRC Process Control application, SAP Fiori apps, SAP S/4 HANA, SAP NetWeaver AS for ABAP, SAP NetWeaver AS for Java und SAP CRM. Beschreibungen und Updates für diese Schwachstellen finden Sie in den SAP-Sicherheitshinweisen. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit Integrität und die Verfügbarkeit zu gefährden. Um einige dieser Schwachstellen auszunutzen, sind Benutzerinteraktion oder privilegierte Rechte erforderlich.", }, ], product_status: { known_affected: [ "T016476", ], }, release_date: "2023-02-13T23:00:00.000+00:00", title: "CVE-2023-0019", }, { cve: "CVE-2023-0013", notes: [ { category: "description", text: "In den folgenden SAP-Anwendungskomponenten bestehen mehrere Schwachstellen: SAP Business Client, SAP Host Agent Service, SAP BASIS, SAP BusinessObjects Business Intelligence platform, SAP Business Planning and Consolidation, SAP Solution Manager, SAP GRC Process Control application, SAP Fiori apps, SAP S/4 HANA, SAP NetWeaver AS for ABAP, SAP NetWeaver AS for Java und SAP CRM. Beschreibungen und Updates für diese Schwachstellen finden Sie in den SAP-Sicherheitshinweisen. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit Integrität und die Verfügbarkeit zu gefährden. Um einige dieser Schwachstellen auszunutzen, sind Benutzerinteraktion oder privilegierte Rechte erforderlich.", }, ], product_status: { known_affected: [ "T016476", ], }, release_date: "2023-02-13T23:00:00.000+00:00", title: "CVE-2023-0013", }, { cve: "CVE-2022-41268", notes: [ { category: "description", text: "In den folgenden SAP-Anwendungskomponenten bestehen mehrere Schwachstellen: SAP Business Client, SAP Host Agent Service, SAP BASIS, SAP BusinessObjects Business Intelligence platform, SAP Business Planning and Consolidation, SAP Solution Manager, SAP GRC Process Control application, SAP Fiori apps, SAP S/4 HANA, SAP NetWeaver AS for ABAP, SAP NetWeaver AS for Java und SAP CRM. Beschreibungen und Updates für diese Schwachstellen finden Sie in den SAP-Sicherheitshinweisen. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit Integrität und die Verfügbarkeit zu gefährden. Um einige dieser Schwachstellen auszunutzen, sind Benutzerinteraktion oder privilegierte Rechte erforderlich.", }, ], product_status: { known_affected: [ "T016476", ], }, release_date: "2023-02-13T23:00:00.000+00:00", title: "CVE-2022-41268", }, { cve: "CVE-2022-41264", notes: [ { category: "description", text: "In den folgenden SAP-Anwendungskomponenten bestehen mehrere Schwachstellen: SAP Business Client, SAP Host Agent Service, SAP BASIS, SAP BusinessObjects Business Intelligence platform, SAP Business Planning and Consolidation, SAP Solution Manager, SAP GRC Process Control application, SAP Fiori apps, SAP S/4 HANA, SAP NetWeaver AS for ABAP, SAP NetWeaver AS for Java und SAP CRM. Beschreibungen und Updates für diese Schwachstellen finden Sie in den SAP-Sicherheitshinweisen. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit Integrität und die Verfügbarkeit zu gefährden. Um einige dieser Schwachstellen auszunutzen, sind Benutzerinteraktion oder privilegierte Rechte erforderlich.", }, ], product_status: { known_affected: [ "T016476", ], }, release_date: "2023-02-13T23:00:00.000+00:00", title: "CVE-2022-41264", }, { cve: "CVE-2022-41262", notes: [ { category: "description", text: "In den folgenden SAP-Anwendungskomponenten bestehen mehrere Schwachstellen: SAP Business Client, SAP Host Agent Service, SAP BASIS, SAP BusinessObjects Business Intelligence platform, SAP Business Planning and Consolidation, SAP Solution Manager, SAP GRC Process Control application, SAP Fiori apps, SAP S/4 HANA, SAP NetWeaver AS for ABAP, SAP NetWeaver AS for Java und SAP CRM. Beschreibungen und Updates für diese Schwachstellen finden Sie in den SAP-Sicherheitshinweisen. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit Integrität und die Verfügbarkeit zu gefährden. Um einige dieser Schwachstellen auszunutzen, sind Benutzerinteraktion oder privilegierte Rechte erforderlich.", }, ], product_status: { known_affected: [ "T016476", ], }, release_date: "2023-02-13T23:00:00.000+00:00", title: "CVE-2022-41262", }, ], }
CVE-2023-0024 (GCVE-0-2023-0024)
Vulnerability from cvelistv5
Published
2023-02-14 03:10
Modified
2025-03-20 18:50
Severity ?
EPSS score ?
Summary
SAP Solution Manager (BSP Application) - version 720, allows an authenticated attacker to craft a malicious link, which when clicked by an unsuspecting user, can be used to read or modify some sensitive information or craft a payload which may restrict access to the desired resources, resulting in Cross-Site Scripting vulnerability.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP | Solution Manager (BSP Application) |
Version: 720 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:54:32.588Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3265846", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-0024", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-03-20T18:50:13.912386Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-03-20T18:50:16.520Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Solution Manager (BSP Application)", vendor: "SAP", versions: [ { status: "affected", version: "720", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>SAP Solution Manager (BSP Application) - version 720, allows an authenticated attacker to craft a malicious link, which when clicked by an unsuspecting user, can be used to read or modify some sensitive information or craft a payload which may restrict access to the desired resources, resulting in Cross-Site Scripting vulnerability.</p>", }, ], value: "SAP Solution Manager (BSP Application) - version 720, allows an authenticated attacker to craft a malicious link, which when clicked by an unsuspecting user, can be used to read or modify some sensitive information or craft a payload which may restrict access to the desired resources, resulting in Cross-Site Scripting vulnerability.\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-79", description: "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", lang: "eng", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-04-11T21:20:42.138Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://launchpad.support.sap.com/#/notes/3265846", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2023-0024", datePublished: "2023-02-14T03:10:22.489Z", dateReserved: "2022-12-22T15:07:28.679Z", dateUpdated: "2025-03-20T18:50:16.520Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2023-23851 (GCVE-0-2023-23851)
Vulnerability from cvelistv5
Published
2023-02-14 03:11
Modified
2025-03-21 14:04
Severity ?
EPSS score ?
Summary
SAP Business Planning and Consolidation - versions 200, 300, allows an attacker with business authorization to upload any files (including web pages) without the proper file format validation. If other users visit the uploaded malicious web page, the attacker may perform actions on behalf of the users without their consent impacting the confidentiality and integrity of the system.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP | Business Planning and Consolidation |
Version: 200 Version: 300 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T10:42:26.843Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3275841", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-23851", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-03-21T14:04:08.378403Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-03-21T14:04:17.340Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Business Planning and Consolidation", vendor: "SAP", versions: [ { status: "affected", version: "200", }, { status: "affected", version: "300", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>SAP Business Planning and Consolidation - versions 200, 300, allows an attacker with business authorization to upload any files (including web pages) without the proper file format validation. If other users visit the uploaded malicious web page, the attacker may perform actions on behalf of the users without their consent impacting the confidentiality and integrity of the system.</p>", }, ], value: "SAP Business Planning and Consolidation - versions 200, 300, allows an attacker with business authorization to upload any files (including web pages) without the proper file format validation. If other users visit the uploaded malicious web page, the attacker may perform actions on behalf of the users without their consent impacting the confidentiality and integrity of the system.\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-434", description: "CWE-434: Unrestricted Upload of File with Dangerous Type", lang: "eng", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-04-11T21:22:35.435Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://launchpad.support.sap.com/#/notes/3275841", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2023-23851", datePublished: "2023-02-14T03:11:51.221Z", dateReserved: "2023-01-19T00:05:29.415Z", dateUpdated: "2025-03-21T14:04:17.340Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2023-24521 (GCVE-0-2023-24521)
Vulnerability from cvelistv5
Published
2023-02-14 03:16
Modified
2025-03-21 14:03
Severity ?
EPSS score ?
Summary
Due to insufficient input sanitization, SAP NetWeaver AS ABAP (BSP Framework) - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, allows an unauthenticated user to alter the current session of the user by injecting the malicious code over the network and gain access to the unintended data. This may lead to a limited impact on the confidentiality and the integrity of the application.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP | NetWeaver AS ABAP (BSP Framework) |
Version: 700 Version: 701 Version: 702 Version: 731 Version: 740 Version: 750 Version: 751 Version: 752 Version: 753 Version: 754 Version: 755 Version: 756 Version: 757 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T10:56:04.371Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3269151", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-24521", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-03-21T14:03:17.636753Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-03-21T14:03:26.159Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "NetWeaver AS ABAP (BSP Framework)", vendor: "SAP", versions: [ { status: "affected", version: "700", }, { status: "affected", version: "701", }, { status: "affected", version: "702", }, { status: "affected", version: "731", }, { status: "affected", version: "740", }, { status: "affected", version: "750", }, { status: "affected", version: "751", }, { status: "affected", version: "752", }, { status: "affected", version: "753", }, { status: "affected", version: "754", }, { status: "affected", version: "755", }, { status: "affected", version: "756", }, { status: "affected", version: "757", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>Due to insufficient input sanitization, SAP NetWeaver AS ABAP (BSP Framework) - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, allows an unauthenticated user to alter the current session of the user by injecting the malicious code over the network and gain access to the unintended data. This may lead to a limited impact on the confidentiality and the integrity of the application.</p>", }, ], value: "Due to insufficient input sanitization, SAP NetWeaver AS ABAP (BSP Framework) - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, allows an unauthenticated user to alter the current session of the user by injecting the malicious code over the network and gain access to the unintended data. This may lead to a limited impact on the confidentiality and the integrity of the application.\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-79", description: "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", lang: "eng", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-04-11T21:23:43.830Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://launchpad.support.sap.com/#/notes/3269151", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2023-24521", datePublished: "2023-02-14T03:16:44.948Z", dateReserved: "2023-01-25T15:46:55.580Z", dateUpdated: "2025-03-21T14:03:26.159Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2022-41262 (GCVE-0-2022-41262)
Vulnerability from cvelistv5
Published
2022-12-12 21:39
Modified
2025-04-22 14:39
Severity ?
EPSS score ?
Summary
Due to insufficient input validation, SAP NetWeaver AS Java (HTTP Provider Service) - version 7.50, allows an unauthenticated attacker to inject a script into a web request header. On successful exploitation, an attacker can view or modify information causing a limited impact on the confidentiality and integrity of the application.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP | NetWeaver AS for Java (Http Provider Service) |
Version: 7.50 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T12:42:43.970Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3262544", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2022-41262", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-04-22T14:38:54.623852Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-04-22T14:39:07.399Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "NetWeaver AS for Java (Http Provider Service)", vendor: "SAP", versions: [ { status: "affected", version: "7.50", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<span style=\"background-color: white;\">Due to insufficient input validation, SAP NetWeaver AS Java (HTTP Provider Service) - version 7.50, allows an unauthenticated attacker to inject a script into a web request header. On successful exploitation, an attacker can view or modify information causing a limited impact on the confidentiality and integrity of the application.</span><br>", }, ], value: "Due to insufficient input validation, SAP NetWeaver AS Java (HTTP Provider Service) - version 7.50, allows an unauthenticated attacker to inject a script into a web request header. On successful exploitation, an attacker can view or modify information causing a limited impact on the confidentiality and integrity of the application.\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-79", description: "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-12-16T03:05:53.087Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://launchpad.support.sap.com/#/notes/3262544", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2022-41262", datePublished: "2022-12-12T21:39:53.223Z", dateReserved: "2022-09-21T16:20:14.947Z", dateUpdated: "2025-04-22T14:39:07.399Z", requesterUserId: "048f1e0a-8756-40de-bd1f-51292c7183c7", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2023-23856 (GCVE-0-2023-23856)
Vulnerability from cvelistv5
Published
2023-02-14 03:15
Modified
2025-03-20 17:55
Severity ?
EPSS score ?
Summary
In SAP BusinessObjects Business Intelligence (Web Intelligence user interface) - version 430, some calls return json with wrong content type in the header of the response. As a result, a custom application that calls directly the jsp of Web Intelligence DHTML may be vulnerable to XSS attacks. On successful exploitation an attacker can cause a low impact on integrity of the application.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP BusinessObjects Business Intelligence (Web Intelligence UI) |
Version: 430 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T10:42:26.673Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3263863", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-23856", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-03-20T17:55:28.717558Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-03-20T17:55:57.774Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "SAP BusinessObjects Business Intelligence (Web Intelligence UI)", vendor: "SAP_SE", versions: [ { status: "affected", version: "430", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>In SAP BusinessObjects Business Intelligence (Web Intelligence user interface) - version 430, some calls return json with wrong content type in the header of the response. As a result, a custom application that calls directly the jsp of Web Intelligence DHTML may be vulnerable to XSS attacks. On successful exploitation an attacker can cause a low impact on integrity of the application.</p>", }, ], value: "In SAP BusinessObjects Business Intelligence (Web Intelligence user interface) - version 430, some calls return json with wrong content type in the header of the response. As a result, a custom application that calls directly the jsp of Web Intelligence DHTML may be vulnerable to XSS attacks. On successful exploitation an attacker can cause a low impact on integrity of the application.\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-79", description: "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", lang: "eng", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-02-14T03:15:05.875Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://launchpad.support.sap.com/#/notes/3263863", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2023-23856", datePublished: "2023-02-14T03:15:05.875Z", dateReserved: "2023-01-19T00:05:29.415Z", dateUpdated: "2025-03-20T17:55:57.774Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2023-23854 (GCVE-0-2023-23854)
Vulnerability from cvelistv5
Published
2023-02-14 03:13
Modified
2025-03-19 15:30
Severity ?
EPSS score ?
Summary
SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP | NetWeaver AS ABAP and ABAP Platform |
Version: 700 Version: 701 Version: 702 Version: 731 Version: 740 Version: 750 Version: 751 Version: 752 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T10:42:26.812Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3287291", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-23854", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-03-19T15:30:14.639772Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-03-19T15:30:40.260Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "NetWeaver AS ABAP and ABAP Platform", vendor: "SAP", versions: [ { status: "affected", version: "700", }, { status: "affected", version: "701", }, { status: "affected", version: "702", }, { status: "affected", version: "731", }, { status: "affected", version: "740", }, { status: "affected", version: "750", }, { status: "affected", version: "751", }, { status: "affected", version: "752", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.</p>", }, ], value: "SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 3.8, baseSeverity: "LOW", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-862", description: "CWE-862 Missing Authorization", lang: "eng", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-04-11T21:21:48.072Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://launchpad.support.sap.com/#/notes/3287291", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2023-23854", datePublished: "2023-02-14T03:13:55.816Z", dateReserved: "2023-01-19T00:05:29.415Z", dateUpdated: "2025-03-19T15:30:40.260Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2023-0025 (GCVE-0-2023-0025)
Vulnerability from cvelistv5
Published
2023-02-14 03:10
Modified
2025-03-21 14:21
Severity ?
EPSS score ?
Summary
SAP Solution Manager (BSP Application) - version 720, allows an authenticated attacker to craft a malicious link, which when clicked by an unsuspecting user, can be used to read or modify some sensitive information or craft a payload which may restrict access to the desired resources.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP | Solution Manager (BSP Application) |
Version: 720 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:54:32.567Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3267442", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-0025", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-03-21T14:21:05.973708Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-03-21T14:21:13.618Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Solution Manager (BSP Application)", vendor: "SAP", versions: [ { status: "affected", version: "720", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>SAP Solution Manager (BSP Application) - version 720, allows an authenticated attacker to craft a malicious link, which when clicked by an unsuspecting user, can be used to read or modify some sensitive information or craft a payload which may restrict access to the desired resources.</p>", }, ], value: "SAP Solution Manager (BSP Application) - version 720, allows an authenticated attacker to craft a malicious link, which when clicked by an unsuspecting user, can be used to read or modify some sensitive information or craft a payload which may restrict access to the desired resources.\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-79", description: "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", lang: "eng", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-04-11T21:20:20.171Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://launchpad.support.sap.com/#/notes/3267442", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2023-0025", datePublished: "2023-02-14T03:10:47.861Z", dateReserved: "2022-12-22T15:07:29.566Z", dateUpdated: "2025-03-21T14:21:13.618Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2023-24525 (GCVE-0-2023-24525)
Vulnerability from cvelistv5
Published
2023-02-14 03:18
Modified
2025-03-20 20:22
Severity ?
EPSS score ?
Summary
SAP CRM WebClient UI - versions WEBCUIF 748, 800, 801, S4FND 102, 103, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. On successful exploitation an authenticated attacker can cause limited impact on confidentiality of the application.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP | CRM (WebClient UI) |
Version: WEBCUIF 748 Version: 800 Version: 801 Version: S4FND 102 Version: 103 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T10:56:04.230Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/2788178", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-24525", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-03-20T20:22:47.832336Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-03-20T20:22:57.501Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "CRM (WebClient UI)", vendor: "SAP", versions: [ { status: "affected", version: "WEBCUIF 748", }, { status: "affected", version: "800", }, { status: "affected", version: "801", }, { status: "affected", version: "S4FND 102", }, { status: "affected", version: "103", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>SAP CRM WebClient UI - versions WEBCUIF 748, 800, 801, S4FND 102, 103, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. On successful exploitation an authenticated attacker can cause limited impact on confidentiality of the application.</p>", }, ], value: "SAP CRM WebClient UI - versions WEBCUIF 748, 800, 801, S4FND 102, 103, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. On successful exploitation an authenticated attacker can cause limited impact on confidentiality of the application.\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-79", description: "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", lang: "eng", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-04-11T21:25:50.210Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://launchpad.support.sap.com/#/notes/2788178", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2023-24525", datePublished: "2023-02-14T03:18:24.206Z", dateReserved: "2023-01-25T15:46:55.581Z", dateUpdated: "2025-03-20T20:22:57.501Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2023-23858 (GCVE-0-2023-23858)
Vulnerability from cvelistv5
Published
2023-02-14 03:15
Modified
2025-03-20 18:47
Severity ?
EPSS score ?
Summary
Due to insufficient input validation, SAP NetWeaver AS for ABAP and ABAP Platform - versions 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790, allows an unauthenticated attacker to send a crafted URL to a user, and by clicking the URL, the tricked user accesses SAP and might be directed with the response to somewhere out-side SAP and enter sensitive data. This could cause a limited impact on confidentiality and integrity of the application.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP NetWeaver AS for ABAP and ABAP Platform |
Version: 740 Version: 750 Version: 751 Version: 752 Version: 753 Version: 754 Version: 755 Version: 756 Version: 757 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T10:42:27.147Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3293786", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-23858", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-03-20T18:47:31.068165Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-03-20T18:47:35.413Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "SAP NetWeaver AS for ABAP and ABAP Platform", vendor: "SAP_SE", versions: [ { status: "affected", version: "740", }, { status: "affected", version: "750", }, { status: "affected", version: "751", }, { status: "affected", version: "752", }, { status: "affected", version: "753", }, { status: "affected", version: "754", }, { status: "affected", version: "755", }, { status: "affected", version: "756", }, { status: "affected", version: "757", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>Due to insufficient input validation, SAP NetWeaver AS for ABAP and ABAP Platform - versions 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790, allows an unauthenticated attacker to send a crafted URL to a user, and by clicking the URL, the tricked user accesses SAP and might be directed with the response to somewhere out-side SAP and enter sensitive data. This could cause a limited impact on confidentiality and integrity of the application.</p>", }, ], value: "Due to insufficient input validation, SAP NetWeaver AS for ABAP and ABAP Platform - versions 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790, allows an unauthenticated attacker to send a crafted URL to a user, and by clicking the URL, the tricked user accesses SAP and might be directed with the response to somewhere out-side SAP and enter sensitive data. This could cause a limited impact on confidentiality and integrity of the application.\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-79", description: "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", lang: "eng", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-02-14T03:15:27.883Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://launchpad.support.sap.com/#/notes/3293786", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2023-23858", datePublished: "2023-02-14T03:15:27.883Z", dateReserved: "2023-01-19T00:05:29.415Z", dateUpdated: "2025-03-20T18:47:35.413Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2023-24524 (GCVE-0-2023-24524)
Vulnerability from cvelistv5
Published
2023-02-14 03:17
Modified
2025-03-20 20:30
Severity ?
EPSS score ?
Summary
SAP S/4 HANA Map Treasury Correspondence Format Data does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges. This could allow an attacker to delete the data with a high impact to availability.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP | S/4 HANA (Map Treasury Correspondence Format Data) |
Version: 104 Version: 105 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T10:56:04.281Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/2985905", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-24524", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-03-20T20:30:47.156218Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-03-20T20:30:54.464Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "S/4 HANA (Map Treasury Correspondence Format Data)", vendor: "SAP", versions: [ { status: "affected", version: "104", }, { status: "affected", version: "105", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>SAP S/4 HANA Map Treasury Correspondence Format Data does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges. This could allow an attacker to delete the data with a high impact to availability.</p>", }, ], value: "SAP S/4 HANA Map Treasury Correspondence Format Data does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges. This could allow an attacker to delete the data with a high impact to availability.\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-862", description: "CWE-862: Missing Authorization", lang: "eng", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-04-11T21:26:06.960Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://launchpad.support.sap.com/#/notes/2985905", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2023-24524", datePublished: "2023-02-14T03:17:59.139Z", dateReserved: "2023-01-25T15:46:55.581Z", dateUpdated: "2025-03-20T20:30:54.464Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2023-24530 (GCVE-0-2023-24530)
Vulnerability from cvelistv5
Published
2023-02-14 03:19
Modified
2025-03-20 20:19
Severity ?
EPSS score ?
Summary
SAP BusinessObjects Business Intelligence Platform (CMC) - versions 420, 430, allows an authenticated admin user to upload malicious code that can be executed by the application over the network. On successful exploitation, attacker can perform operations that may completely compromise the application causing high impact on confidentiality, integrity and availability of the application.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP | BusinessObjects Business Intelligence Platform (CMC) |
Version: 420 Version: 430 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T10:56:04.364Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3256787", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-24530", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2025-03-20T20:18:49.511202Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-03-20T20:19:02.203Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "BusinessObjects Business Intelligence Platform (CMC)", vendor: "SAP", versions: [ { status: "affected", version: "420", }, { status: "affected", version: "430", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>SAP BusinessObjects Business Intelligence Platform (CMC) - versions 420, 430, allows an authenticated admin user to upload malicious code that can be executed by the application over the network. On successful exploitation, attacker can perform operations that may completely compromise the application causing high impact on confidentiality, integrity and availability of the application.</p>", }, ], value: "SAP BusinessObjects Business Intelligence Platform (CMC) - versions 420, 430, allows an authenticated admin user to upload malicious code that can be executed by the application over the network. On successful exploitation, attacker can perform operations that may completely compromise the application causing high impact on confidentiality, integrity and availability of the application.\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.4, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-434", description: "CWE-434: Unrestricted Upload of File with Dangerous Type", lang: "eng", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-04-11T21:27:38.517Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://launchpad.support.sap.com/#/notes/3256787", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2023-24530", datePublished: "2023-02-14T03:19:44.905Z", dateReserved: "2023-01-25T15:46:55.582Z", dateUpdated: "2025-03-20T20:19:02.203Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2022-41268 (GCVE-0-2022-41268)
Vulnerability from cvelistv5
Published
2022-12-13 02:52
Modified
2025-04-22 14:20
Severity ?
EPSS score ?
Summary
In some SAP standard roles in SAP Business Planning and Consolidation - versions - SAP_BW 750, 751, 752, 753, 754, 755, 756, 757, DWCORE 200, 300, CPMBPC 810, a transaction code reserved for the customer is used. By implementing such transaction code, a malicious user may execute unauthorized transaction functionality. Under specific circumstances, a successful attack could enable an adversary to escalate their privileges to be able to read, change or delete system data.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP | Business Planning and Consolidation |
Version: SAP_BW 750 < Version: DWCORE 200 < Version: CPMBPC 810 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T12:42:43.986Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3271091", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2022-41268", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2025-04-22T14:20:07.076563Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-04-22T14:20:20.822Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Business Planning and Consolidation", vendor: "SAP", versions: [ { lessThanOrEqual: "SAP_BW 757", status: "affected", version: "SAP_BW 750", versionType: "custom", }, { lessThanOrEqual: "DWCORE 300", status: "affected", version: "DWCORE 200", versionType: "custom", }, { status: "affected", version: "CPMBPC 810", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "In some SAP standard roles in SAP Business Planning and Consolidation - versions - SAP_BW 750, 751, 752, 753, 754, 755, 756, 757, DWCORE 200, 300, CPMBPC 810, a transaction code reserved for the customer is used. By implementing such transaction code, a malicious user may execute unauthorized transaction functionality. Under specific circumstances, a successful attack could enable an adversary to escalate their privileges to be able to read, change or delete system data.", }, ], value: "In some SAP standard roles in SAP Business Planning and Consolidation - versions - SAP_BW 750, 751, 752, 753, 754, 755, 756, 757, DWCORE 200, 300, CPMBPC 810, a transaction code reserved for the customer is used. By implementing such transaction code, a malicious user may execute unauthorized transaction functionality. Under specific circumstances, a successful attack could enable an adversary to escalate their privileges to be able to read, change or delete system data.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-269", description: "CWE-269 Improper Privilege Management", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-12-13T02:52:25.032Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://launchpad.support.sap.com/#/notes/3271091", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2022-41268", datePublished: "2022-12-13T02:52:25.032Z", dateReserved: "2022-09-21T16:20:14.949Z", dateUpdated: "2025-04-22T14:20:20.822Z", requesterUserId: "048f1e0a-8756-40de-bd1f-51292c7183c7", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2023-23855 (GCVE-0-2023-23855)
Vulnerability from cvelistv5
Published
2023-02-14 03:14
Modified
2025-03-20 18:49
Severity ?
EPSS score ?
Summary
SAP Solution Manager - version 720, allows an authenticated attacker to redirect users to a malicious site due to insufficient URL validation. A successful attack could lead an attacker to read or modify the information or expose the user to a phishing attack. As a result, it has a low impact to confidentiality, integrity and availability.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP | Solution Manager |
Version: 720 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T10:42:26.959Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3270509", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-23855", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-03-20T18:48:56.209255Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-03-20T18:49:06.163Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Solution Manager", vendor: "SAP", versions: [ { status: "affected", version: "720", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>SAP Solution Manager - version 720, allows an authenticated attacker to redirect users to a malicious site due to insufficient URL validation. A successful attack could lead an attacker to read or modify the information or expose the user to a phishing attack. As a result, it has a low impact to confidentiality, integrity and availability.</p>", }, ], value: "SAP Solution Manager - version 720, allows an authenticated attacker to redirect users to a malicious site due to insufficient URL validation. A successful attack could lead an attacker to read or modify the information or expose the user to a phishing attack. As a result, it has a low impact to confidentiality, integrity and availability.\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-601", description: "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')", lang: "eng", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-04-11T21:21:34.343Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://launchpad.support.sap.com/#/notes/3270509", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2023-23855", datePublished: "2023-02-14T03:14:29.486Z", dateReserved: "2023-01-19T00:05:29.415Z", dateUpdated: "2025-03-20T18:49:06.163Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2023-24523 (GCVE-0-2023-24523)
Vulnerability from cvelistv5
Published
2023-02-14 03:17
Modified
2024-08-02 10:56
Severity ?
EPSS score ?
Summary
An attacker authenticated as a non-admin user with local access to a server port assigned to the SAP Host Agent (Start Service) - versions 7.21, 7.22, can submit a crafted ConfigureOutsideDiscovery request with an operating system command which will be executed with administrator privileges. The OS command can read or modify any user or system data and can make the system unavailable.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP | Host Agent Service |
Version: 7.21 Version: 7.22 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T10:56:04.370Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3285757", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Host Agent Service", vendor: "SAP", versions: [ { status: "affected", version: "7.21", }, { status: "affected", version: "7.22", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>An attacker authenticated as a non-admin user with local access to a server port assigned to the SAP Host Agent (Start Service) - versions 7.21, 7.22, can submit a crafted ConfigureOutsideDiscovery request with an operating system command which will be executed with administrator privileges. The OS command can read or modify any user or system data and can make the system unavailable.</p>", }, ], value: "An attacker authenticated as a non-admin user with local access to a server port assigned to the SAP Host Agent (Start Service) - versions 7.21, 7.22, can submit a crafted ConfigureOutsideDiscovery request with an operating system command which will be executed with administrator privileges. The OS command can read or modify any user or system data and can make the system unavailable.\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-668", description: "CWE-668: Exposure of Resource to Wrong Sphere", lang: "eng", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-04-11T21:26:20.554Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://launchpad.support.sap.com/#/notes/3285757", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2023-24523", datePublished: "2023-02-14T03:17:37.098Z", dateReserved: "2023-01-25T15:46:55.581Z", dateUpdated: "2024-08-02T10:56:04.370Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2023-0013 (GCVE-0-2023-0013)
Vulnerability from cvelistv5
Published
2023-01-10 02:50
Modified
2025-04-09 15:25
Severity ?
EPSS score ?
Summary
The ABAP Keyword Documentation of SAP NetWeaver Application Server - versions 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, for ABAP and ABAP Platform does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. On successful exploitation an attacker can cause limited impact on confidentiality and integrity of the application.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP | NetWeaver AS for ABAP and ABAP Platform |
Version: 702 Version: 731 Version: 740 Version: 750 Version: 751 Version: 752 Version: 753 Version: 754 Version: 755 Version: 756 Version: 757 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:54:32.608Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3283283", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-0013", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-04-09T15:25:38.335011Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-04-09T15:25:48.857Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "NetWeaver AS for ABAP and ABAP Platform", vendor: "SAP", versions: [ { status: "affected", version: "702", }, { status: "affected", version: "731", }, { status: "affected", version: "740", }, { status: "affected", version: "750", }, { status: "affected", version: "751", }, { status: "affected", version: "752", }, { status: "affected", version: "753", }, { status: "affected", version: "754", }, { status: "affected", version: "755", }, { status: "affected", version: "756", }, { status: "affected", version: "757", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "The ABAP Keyword Documentation of SAP NetWeaver Application Server - versions 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, for ABAP and ABAP Platform does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. On successful exploitation an attacker can cause limited impact on confidentiality and integrity of the application.", }, ], value: "The ABAP Keyword Documentation of SAP NetWeaver Application Server - versions 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, for ABAP and ABAP Platform does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. On successful exploitation an attacker can cause limited impact on confidentiality and integrity of the application.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-79", description: "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-01-10T02:50:52.294Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://launchpad.support.sap.com/#/notes/3283283", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, title: "Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2023-0013", datePublished: "2023-01-10T02:50:52.294Z", dateReserved: "2022-12-16T03:13:36.148Z", dateUpdated: "2025-04-09T15:25:48.857Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2023-0020 (GCVE-0-2023-0020)
Vulnerability from cvelistv5
Published
2023-02-14 03:08
Modified
2025-03-20 18:50
Severity ?
EPSS score ?
Summary
SAP BusinessObjects Business Intelligence platform - versions 420, 430, allows an authenticated attacker to access sensitive information which is otherwise restricted. On successful exploitation, there could be a high impact on confidentiality and limited impact on integrity of the application.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP BusinessObjects Business Intelligence Platform |
Version: 420 Version: 430 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:54:32.627Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3263135", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-0020", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-03-20T18:50:43.639789Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-03-20T18:50:52.988Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "SAP BusinessObjects Business Intelligence Platform", vendor: "SAP_SE", versions: [ { status: "affected", version: "420", }, { status: "affected", version: "430", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>SAP BusinessObjects Business Intelligence platform - versions 420, 430, allows an authenticated attacker to access sensitive information which is otherwise restricted. On successful exploitation, there could be a high impact on confidentiality and limited impact on integrity of the application.</p>", }, ], value: "SAP BusinessObjects Business Intelligence platform - versions 420, 430, allows an authenticated attacker to access sensitive information which is otherwise restricted. On successful exploitation, there could be a high impact on confidentiality and limited impact on integrity of the application.\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 8.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-200", description: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", lang: "eng", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-02-14T03:08:46.257Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://launchpad.support.sap.com/#/notes/3263135", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2023-0020", datePublished: "2023-02-14T03:08:46.257Z", dateReserved: "2022-12-20T03:49:44.135Z", dateUpdated: "2025-03-20T18:50:52.988Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2023-23853 (GCVE-0-2023-23853)
Vulnerability from cvelistv5
Published
2023-02-14 03:13
Modified
2025-03-20 18:49
Severity ?
EPSS score ?
Summary
An unauthenticated attacker in AP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790, can craft a link which when clicked by an unsuspecting user can be used to redirect a user to a malicious site which could read or modify some sensitive information or expose the victim to a phishing attack. Vulnerability has no direct impact on availability.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP | NetWeaver Application Server for ABAP and ABAP Platform |
Version: 700 Version: 702 Version: 731 Version: 740 Version: 750 Version: 751 Version: 752 Version: 753 Version: 754 Version: 755 Version: 756 Version: 757 Version: 789 Version: 790 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T10:42:27.066Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3271227", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-23853", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-03-20T18:49:25.546555Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-03-20T18:49:33.080Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "NetWeaver Application Server for ABAP and ABAP Platform", vendor: "SAP", versions: [ { status: "affected", version: "700", }, { status: "affected", version: "702", }, { status: "affected", version: "731", }, { status: "affected", version: "740", }, { status: "affected", version: "750", }, { status: "affected", version: "751", }, { status: "affected", version: "752", }, { status: "affected", version: "753", }, { status: "affected", version: "754", }, { status: "affected", version: "755", }, { status: "affected", version: "756", }, { status: "affected", version: "757", }, { status: "affected", version: "789", }, { status: "affected", version: "790", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>An unauthenticated attacker in AP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790, can craft a link which when clicked by an unsuspecting user can be used to redirect a user to a malicious site which could read or modify some sensitive information or expose the victim to a phishing attack. Vulnerability has no direct impact on availability.</p>", }, ], value: "An unauthenticated attacker in AP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790, can craft a link which when clicked by an unsuspecting user can be used to redirect a user to a malicious site which could read or modify some sensitive information or expose the victim to a phishing attack. Vulnerability has no direct impact on availability.\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-601", description: "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')", lang: "eng", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-04-11T21:22:01.425Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://launchpad.support.sap.com/#/notes/3271227", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2023-23853", datePublished: "2023-02-14T03:13:28.319Z", dateReserved: "2023-01-19T00:05:29.415Z", dateUpdated: "2025-03-20T18:49:33.080Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2023-23859 (GCVE-0-2023-23859)
Vulnerability from cvelistv5
Published
2023-02-14 03:15
Modified
2025-03-20 18:47
Severity ?
EPSS score ?
Summary
SAP NetWeaver AS for ABAP and ABAP Platform - versions 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790, allows an unauthenticated attacker to craft a malicious link, which when clicked by an unsuspecting user, can be used to read or modify some sensitive information.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP | NetWeaver AS for ABAP and ABAP Platform |
Version: 740 Version: 750 Version: 751 Version: 752 Version: 753 Version: 754 Version: 755 Version: 756 Version: 757 Version: 789 Version: 790 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T10:42:27.061Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3268959", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-23859", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-03-20T18:47:09.242964Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-03-20T18:47:11.697Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "NetWeaver AS for ABAP and ABAP Platform", vendor: "SAP", versions: [ { status: "affected", version: "740", }, { status: "affected", version: "750", }, { status: "affected", version: "751", }, { status: "affected", version: "752", }, { status: "affected", version: "753", }, { status: "affected", version: "754", }, { status: "affected", version: "755", }, { status: "affected", version: "756", }, { status: "affected", version: "757", }, { status: "affected", version: "789", }, { status: "affected", version: "790", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>SAP NetWeaver AS for ABAP and ABAP Platform - versions 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790, allows an unauthenticated attacker to craft a malicious link, which when clicked by an unsuspecting user, can be used to read or modify some sensitive information.</p>", }, ], value: "SAP NetWeaver AS for ABAP and ABAP Platform - versions 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790, allows an unauthenticated attacker to craft a malicious link, which when clicked by an unsuspecting user, can be used to read or modify some sensitive information.\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-79", description: "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", lang: "eng", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-04-11T21:23:19.231Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://launchpad.support.sap.com/#/notes/3268959", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2023-23859", datePublished: "2023-02-14T03:15:54.117Z", dateReserved: "2023-01-19T00:05:29.416Z", dateUpdated: "2025-03-20T18:47:11.697Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2023-24522 (GCVE-0-2023-24522)
Vulnerability from cvelistv5
Published
2023-02-14 03:17
Modified
2025-03-20 20:31
Severity ?
EPSS score ?
Summary
Due to insufficient input sanitization, SAP NetWeaver AS ABAP (Business Server Pages) - versions 700, 701, 702, 731, 740, allows an unauthenticated user to alter the current session of the user by injecting the malicious code over the network and gain access to the unintended data. This may lead to a limited impact on the confidentiality and the integrity of the application.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP | NetWeaver AS ABAP (BSP Framework) |
Version: 700 Version: 701 Version: 702 Version: 731 Version: 740 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T10:56:04.378Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3269118", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-24522", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-03-20T20:31:22.712249Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-03-20T20:31:30.924Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "NetWeaver AS ABAP (BSP Framework)", vendor: "SAP", versions: [ { status: "affected", version: "700", }, { status: "affected", version: "701", }, { status: "affected", version: "702", }, { status: "affected", version: "731", }, { status: "affected", version: "740", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>Due to insufficient input sanitization, SAP NetWeaver AS ABAP (Business Server Pages) - versions 700, 701, 702, 731, 740, allows an unauthenticated user to alter the current session of the user by injecting the malicious code over the network and gain access to the unintended data. This may lead to a limited impact on the confidentiality and the integrity of the application.</p>", }, ], value: "Due to insufficient input sanitization, SAP NetWeaver AS ABAP (Business Server Pages) - versions 700, 701, 702, 731, 740, allows an unauthenticated user to alter the current session of the user by injecting the malicious code over the network and gain access to the unintended data. This may lead to a limited impact on the confidentiality and the integrity of the application.\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-79", description: "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", lang: "eng", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-04-11T21:26:34.087Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://launchpad.support.sap.com/#/notes/3269118", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2023-24522", datePublished: "2023-02-14T03:17:02.758Z", dateReserved: "2023-01-25T15:46:55.581Z", dateUpdated: "2025-03-20T20:31:30.924Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2023-23860 (GCVE-0-2023-23860)
Vulnerability from cvelistv5
Published
2023-02-14 03:16
Modified
2025-03-20 18:46
Severity ?
EPSS score ?
Summary
SAP NetWeaver AS for ABAP and ABAP Platform - versions 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790, allows an unauthenticated attacker to craft a link, which when clicked by an unsuspecting user can be used to redirect a user to a malicious site which could read or modify some sensitive information or expose the victim to a phishing attack.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP | NetWeaver AS for ABAP and ABAP Platform |
Version: 740 Version: 750 Version: 751 Version: 752 Version: 753 Version: 754 Version: 755 Version: 756 Version: 757 Version: 789 Version: 790 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T10:42:27.121Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3268959", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-23860", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-03-20T18:46:08.765941Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-03-20T18:46:16.391Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "NetWeaver AS for ABAP and ABAP Platform", vendor: "SAP", versions: [ { status: "affected", version: "740", }, { status: "affected", version: "750", }, { status: "affected", version: "751", }, { status: "affected", version: "752", }, { status: "affected", version: "753", }, { status: "affected", version: "754", }, { status: "affected", version: "755", }, { status: "affected", version: "756", }, { status: "affected", version: "757", }, { status: "affected", version: "789", }, { status: "affected", version: "790", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>SAP NetWeaver AS for ABAP and ABAP Platform - versions 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790, allows an unauthenticated attacker to craft a link, which when clicked by an unsuspecting user can be used to redirect a user to a malicious site which could read or modify some sensitive information or expose the victim to a phishing attack.</p>", }, ], value: "SAP NetWeaver AS for ABAP and ABAP Platform - versions 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790, allows an unauthenticated attacker to craft a link, which when clicked by an unsuspecting user can be used to redirect a user to a malicious site which could read or modify some sensitive information or expose the victim to a phishing attack.\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-601", description: "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')", lang: "eng", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-04-11T21:23:01.734Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://launchpad.support.sap.com/#/notes/3268959", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2023-23860", datePublished: "2023-02-14T03:16:18.411Z", dateReserved: "2023-01-19T00:05:29.416Z", dateUpdated: "2025-03-20T18:46:16.391Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2022-41264 (GCVE-0-2022-41264)
Vulnerability from cvelistv5
Published
2022-12-13 02:27
Modified
2025-04-22 14:24
Severity ?
EPSS score ?
Summary
Due to the unrestricted scope of the RFC function module, SAP BASIS - versions 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790, 791, allows an authenticated non-administrator attacker to access a system class and execute any of its public methods with parameters provided by the attacker. On successful exploitation the attacker can have full control of the system to which the class belongs, causing a high impact on the integrity of the application.
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T12:42:44.052Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3268172", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2022-41264", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2025-04-22T14:24:09.747878Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-04-22T14:24:19.868Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "BASIS", vendor: "SAP", versions: [ { status: "affected", version: "731", }, { status: "affected", version: "740", }, { status: "affected", version: "750", }, { status: "affected", version: "751", }, { status: "affected", version: "752", }, { status: "affected", version: "753", }, { status: "affected", version: "754", }, { status: "affected", version: "755", }, { status: "affected", version: "756", }, { status: "affected", version: "757", }, { status: "affected", version: "789", }, { status: "affected", version: "790", }, { status: "affected", version: "791", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<span style=\"background-color: white;\">Due to the unrestricted scope of the RFC function module, SAP BASIS - versions </span>731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790, 791, <span style=\"background-color: white;\">allows an authenticated non-administrator attacker to access a system class and execute any of its public methods with parameters provided by the attacker. On successful exploitation the attacker can have full control of the system to which the class belongs, causing a high impact on the integrity of the application.</span><br>", }, ], value: "Due to the unrestricted scope of the RFC function module, SAP BASIS - versions 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790, 791, allows an authenticated non-administrator attacker to access a system class and execute any of its public methods with parameters provided by the attacker. On successful exploitation the attacker can have full control of the system to which the class belongs, causing a high impact on the integrity of the application.\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-94", description: "CWE-94 Improper Control of Generation of Code ('Code Injection')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-12-13T02:27:48.081Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://launchpad.support.sap.com/#/notes/3268172", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2022-41264", datePublished: "2022-12-13T02:27:48.081Z", dateReserved: "2022-09-21T16:20:14.948Z", dateUpdated: "2025-04-22T14:24:19.868Z", requesterUserId: "048f1e0a-8756-40de-bd1f-51292c7183c7", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2023-23852 (GCVE-0-2023-23852)
Vulnerability from cvelistv5
Published
2023-02-14 03:12
Modified
2025-03-20 18:49
Severity ?
EPSS score ?
Summary
SAP Solution Manager (System Monitoring) - version 720, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP | Solution Manager |
Version: 720 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T10:42:27.212Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3266751", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-23852", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-03-20T18:49:51.642901Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-03-20T18:49:56.194Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Solution Manager", vendor: "SAP", versions: [ { status: "affected", version: "720", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>SAP Solution Manager (System Monitoring) - version 720, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.</p>", }, ], value: "SAP Solution Manager (System Monitoring) - version 720, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-79", description: "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", lang: "eng", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-04-11T21:22:15.619Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://launchpad.support.sap.com/#/notes/3266751", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2023-23852", datePublished: "2023-02-14T03:12:23.399Z", dateReserved: "2023-01-19T00:05:29.415Z", dateUpdated: "2025-03-20T18:49:56.194Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2023-24528 (GCVE-0-2023-24528)
Vulnerability from cvelistv5
Published
2023-02-14 03:18
Modified
2025-03-20 20:22
Severity ?
EPSS score ?
Summary
SAP Fiori apps for Travel Management in SAP ERP (My Travel Requests) - version 600, allows an authenticated attacker to exploit a certain misconfigured application endpoint to view sensitive data. This endpoint is normally exposed over the network and successful exploitation can lead to exposure of data like travel documents.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP | Fiori apps 1.0 for travel management in SAP ERP (My Travel Requests) |
Version: 600 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T10:56:04.225Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3290901", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-24528", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-03-20T20:22:12.985370Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-03-20T20:22:20.083Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Fiori apps 1.0 for travel management in SAP ERP (My Travel Requests)", vendor: "SAP", versions: [ { status: "affected", version: "600", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>SAP Fiori apps for Travel Management in SAP ERP (My Travel Requests) - version 600, allows an authenticated attacker to exploit a certain misconfigured application endpoint to view sensitive data. This endpoint is normally exposed over the network and successful exploitation can lead to exposure of data like travel documents.</p>", }, ], value: "SAP Fiori apps for Travel Management in SAP ERP (My Travel Requests) - version 600, allows an authenticated attacker to exploit a certain misconfigured application endpoint to view sensitive data. This endpoint is normally exposed over the network and successful exploitation can lead to exposure of data like travel documents.\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-862", description: "CWE-862: Missing Authorization", lang: "eng", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-04-11T21:25:07.475Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://launchpad.support.sap.com/#/notes/3290901", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2023-24528", datePublished: "2023-02-14T03:18:53.948Z", dateReserved: "2023-01-25T15:46:55.581Z", dateUpdated: "2025-03-20T20:22:20.083Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2023-24529 (GCVE-0-2023-24529)
Vulnerability from cvelistv5
Published
2023-02-14 03:19
Modified
2025-03-20 20:21
Severity ?
EPSS score ?
Summary
Due to lack of proper input validation, BSP application (CRM_BSP_FRAME) - versions 700, 701, 702, 731, 740, 750, 751, 752, 75C, 75D, 75E, 75F, 75G, 75H, allow malicious inputs from untrusted sources, which can be leveraged by an attacker to execute a Reflected Cross-Site Scripting (XSS) attack. As a result, an attacker may be able to hijack a user session, read and modify some sensitive information.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP | NetWeaver AS ABAP (Business Server Pages application) |
Version: 700 Version: 701 Version: 702 Version: 731 Version: 740 Version: 750 Version: 751 Version: 752 Version: 75C Version: 75D Version: 75E Version: 75F Version: 75G Version: 75H |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T10:56:04.273Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3282663", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-24529", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-03-20T20:21:20.984968Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-03-20T20:21:30.580Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "NetWeaver AS ABAP (Business Server Pages application)", vendor: "SAP", versions: [ { status: "affected", version: "700", }, { status: "affected", version: "701", }, { status: "affected", version: "702", }, { status: "affected", version: "731", }, { status: "affected", version: "740", }, { status: "affected", version: "750", }, { status: "affected", version: "751", }, { status: "affected", version: "752", }, { status: "affected", version: "75C", }, { status: "affected", version: "75D", }, { status: "affected", version: "75E", }, { status: "affected", version: "75F", }, { status: "affected", version: "75G", }, { status: "affected", version: "75H", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>Due to lack of proper input validation, BSP application (CRM_BSP_FRAME) - versions 700, 701, 702, 731, 740, 750, 751, 752, 75C, 75D, 75E, 75F, 75G, 75H, allow malicious inputs from untrusted sources, which can be leveraged by an attacker to execute a Reflected Cross-Site Scripting (XSS) attack. As a result, an attacker may be able to hijack a user session, read and modify some sensitive information.</p>", }, ], value: "Due to lack of proper input validation, BSP application (CRM_BSP_FRAME) - versions 700, 701, 702, 731, 740, 750, 751, 752, 75C, 75D, 75E, 75F, 75G, 75H, allow malicious inputs from untrusted sources, which can be leveraged by an attacker to execute a Reflected Cross-Site Scripting (XSS) attack. As a result, an attacker may be able to hijack a user session, read and modify some sensitive information.\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-79", description: "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", lang: "eng", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-04-11T21:24:44.858Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://launchpad.support.sap.com/#/notes/3282663", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2023-24529", datePublished: "2023-02-14T03:19:22.690Z", dateReserved: "2023-01-25T15:46:55.581Z", dateUpdated: "2025-03-20T20:21:30.580Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2023-0019 (GCVE-0-2023-0019)
Vulnerability from cvelistv5
Published
2023-02-14 03:06
Modified
2025-03-20 18:52
Severity ?
EPSS score ?
Summary
In SAP GRC (Process Control) - versions GRCFND_A V1200, GRCFND_A V8100, GRCPINW V1100_700, GRCPINW V1100_731, GRCPINW V1200_750, remote-enabled function module in the proprietary SAP solution enables an authenticated attacker with minimal privileges to access all the confidential data stored in the database. Successful exploitation of this vulnerability can expose user credentials from client-specific tables of the database, leading to high impact on confidentiality.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP GRC (Process Control) |
Version: V1200 Version: V8100 Version: V1100_700 Version: V1100_731 Version: V1200_750 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:54:32.570Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3281724", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-0019", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-03-20T18:52:24.220361Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-03-20T18:52:31.598Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "SAP GRC (Process Control)", vendor: "SAP_SE", versions: [ { status: "affected", version: "V1200", }, { status: "affected", version: "V8100", }, { status: "affected", version: "V1100_700", }, { status: "affected", version: "V1100_731", }, { status: "affected", version: "V1200_750", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>In SAP GRC (Process Control) - versions GRCFND_A V1200, GRCFND_A V8100, GRCPINW V1100_700, GRCPINW V1100_731, GRCPINW V1200_750, remote-enabled function module in the proprietary SAP solution enables an authenticated attacker with minimal privileges to access all the confidential data stored in the database. Successful exploitation of this vulnerability can expose user credentials from client-specific tables of the database, leading to high impact on confidentiality.</p>", }, ], value: "In SAP GRC (Process Control) - versions GRCFND_A V1200, GRCFND_A V8100, GRCPINW V1100_700, GRCPINW V1100_731, GRCPINW V1200_750, remote-enabled function module in the proprietary SAP solution enables an authenticated attacker with minimal privileges to access all the confidential data stored in the database. Successful exploitation of this vulnerability can expose user credentials from client-specific tables of the database, leading to high impact on confidentiality.\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-862", description: "CWE-862: Missing Authorization", lang: "eng", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-02-14T03:06:56.391Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://launchpad.support.sap.com/#/notes/3281724", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2023-0019", datePublished: "2023-02-14T03:06:56.391Z", dateReserved: "2022-12-20T03:49:40.251Z", dateUpdated: "2025-03-20T18:52:31.598Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2023-25614 (GCVE-0-2023-25614)
Vulnerability from cvelistv5
Published
2023-02-14 03:20
Modified
2025-03-20 20:16
Severity ?
EPSS score ?
Summary
SAP NetWeaver AS ABAP (BSP Framework) application - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, allow an unauthenticated attacker to inject the code that can be executed by the application over the network. On successful exploitation it can gain access to the sensitive information which leads to a limited impact on the confidentiality and the integrity of the application.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP | NetWeaver AS ABAP (BSP Framework) |
Version: 700 Version: 701 Version: 702 Version: 731 Version: 740 Version: 750 Version: 751 Version: 752 Version: 753 Version: 754 Version: 755 Version: 756 Version: 757 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T11:25:19.310Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3274585", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-25614", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-03-20T20:16:04.671050Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-03-20T20:16:11.329Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "NetWeaver AS ABAP (BSP Framework)", vendor: "SAP", versions: [ { status: "affected", version: "700", }, { status: "affected", version: "701", }, { status: "affected", version: "702", }, { status: "affected", version: "731", }, { status: "affected", version: "740", }, { status: "affected", version: "750", }, { status: "affected", version: "751", }, { status: "affected", version: "752", }, { status: "affected", version: "753", }, { status: "affected", version: "754", }, { status: "affected", version: "755", }, { status: "affected", version: "756", }, { status: "affected", version: "757", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>SAP NetWeaver AS ABAP (BSP Framework) application - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, allow an unauthenticated attacker to inject the code that can be executed by the application over the network. On successful exploitation it can gain access to the sensitive information which leads to a limited impact on the confidentiality and the integrity of the application.</p>", }, ], value: "SAP NetWeaver AS ABAP (BSP Framework) application - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, allow an unauthenticated attacker to inject the code that can be executed by the application over the network. On successful exploitation it can gain access to the sensitive information which leads to a limited impact on the confidentiality and the integrity of the application.\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-79", description: "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", lang: "eng", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-04-11T21:29:07.679Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://launchpad.support.sap.com/#/notes/3274585", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2023-25614", datePublished: "2023-02-14T03:20:11.856Z", dateReserved: "2023-02-09T13:30:50.223Z", dateUpdated: "2025-03-20T20:16:11.329Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.