Security Vulnerabilities - CVEs Published In 2022
In some SAP standard roles in SAP Business Planning and Consolidation - versions - SAP_BW 750, 751, 752, 753, 754, 755, 756, 757, DWCORE 200, 300, CPMBPC 810, a transaction code reserved for the customer is used. By implementing such transaction code, a malicious user may execute unauthorized transaction functionality. Under specific circumstances, a successful attack could enable an adversary to escalate their privileges to be able to read, change or delete system data.
CVSS Score
8.5
EPSS Score
0.003
Published
2022-12-13
An unauthenticated user can attach to an open interface exposed through JNDI by the Messaging System of SAP NetWeaver Process Integration (PI) - version 7.50. This user can make use of an open naming and directory API to access services that could perform unauthorized operations. The vulnerability affects local users and data, leading to a considerable impact on confidentiality as well as availability and a limited impact on the integrity of the application. These operations can be used to:
* Read any information
* Modify sensitive information
* Denial of Service attacks (DoS)
* SQL Injection
CVSS Score
9.4
EPSS Score
0.002
Published
2022-12-13
Logrhythm Web Console 7.4.9 allows for HTML tag injection through Contextualize Action -> Create a new Contextualize Action -> Inject your HTML tag in the name field.
CVSS Score
6.1
EPSS Score
0.001
Published
2022-12-13
A directory traversal vulnerability in the component SCS.Web.Server.SPI/1.0 of Linx Sphere LINX 7.35.ST15 allows attackers to read arbitrary files.
CVSS Score
7.5
EPSS Score
0.741
Published
2022-12-12
SAP Solution Manager (Diagnostic Agent) - version 7.20, allows an authenticated attacker on Windows system to access a file containing sensitive data which can be used to access a configuration file which contains credentials to access other system files. Successful exploitation can make the attacker access files and systems for which he/she is not authorized.
CVSS Score
6.0
EPSS Score
0.0
Published
2022-12-12
Due to insufficient input validation, SAP NetWeaver AS Java (HTTP Provider Service) - version 7.50, allows an unauthenticated attacker to inject a script into a web request header. On successful exploitation, an attacker can view or modify information causing a limited impact on the confidentiality and integrity of the application.
CVSS Score
6.1
EPSS Score
0.007
Published
2022-12-12
Due to a missing authentication check, SAP Business Objects Business Intelligence Platform (Web Intelligence) - versions 420, 430, allows an authenticated non-administrator attacker to modify the data source information for a document that is otherwise restricted. On successful exploitation, the attacker can modify information causing a limited impact on the integrity of the application.
CVSS Score
4.3
EPSS Score
0.001
Published
2022-12-12
Insufficient processing of user input in WebSoft HCM 2021.2.3.327 allows an authenticated attacker to inject arbitrary HTML tags into the page processed by the user's browser, including scripts in the JavaScript programming language, which leads to Stored XSS.
CVSS Score
5.4
EPSS Score
0.006
Published
2022-12-12
Insufficient processing of user input in WebSoft HCM 2021.2.3.327 allows an authenticated attacker to inject arbitrary HTML tags into the page processed by the user's browser, including scripts in the JavaScript programming language, which leads to Self-XSS.
CVSS Score
5.4
EPSS Score
0.006
Published
2022-12-12
Insufficient processing of user input in WebSoft HCM 2021.2.3.327 allows an unauthenticated attacker to inject arbitrary HTML tags into the page processed by the user's browser, including scripts in the JavaScript programming language, which leads to Reflected XSS.
CVSS Score
6.1
EPSS Score
0.01
Published
2022-12-12