Sap: Security Vulnerabilities
SAP Transportation Management (Collaboration
Portal) allows an attacker with non-administrative privileges to send a crafted
request from a vulnerable web application. This will trigger the application
handler to send a request to an unintended service, which may reveal
information about that service. The information obtained could be used to
target internal systems behind firewalls that are normally inaccessible to an
attacker from the external network, resulting in a Server-Side Request Forgery
vulnerability. There is no effect on integrity or availability of the
application.
CVSS Score
5.0
EPSS Score
0.001
Published
2024-07-09
SAP S/4HANA Finance (Advanced Payment
Management) does not perform necessary authorization check for an authenticated
user, resulting in escalation of privileges. As a result, it has a low impact
to confidentiality and availability but there is no impact on the integrity.
CVSS Score
5.4
EPSS Score
0.002
Published
2024-07-09
SAP CRM WebClient does not
perform necessary authorization check for an authenticated user, resulting in
escalation of privileges. This could allow an attacker to access some sensitive
information.
CVSS Score
4.3
EPSS Score
0.001
Published
2024-07-09
WebFlow Services of SAP Business Workflow allows
an authenticated attacker to enumerate accessible HTTP endpoints in the
internal network by specially crafting HTTP requests. On successful
exploitation this can result in information disclosure. It has no impact on
integrity and availability of the application.
CVSS Score
5.0
EPSS Score
0.001
Published
2024-07-09
SAP CRM (WebClient UI Framework) allows an
authenticated attacker to enumerate accessible HTTP endpoints in the internal
network by specially crafting HTTP requests. On successful exploitation this
can result in information disclosure. It has no impact on integrity and
availability of the application.
CVSS Score
5.0
EPSS Score
0.001
Published
2024-07-09
Custom CSS support option in SAP CRM WebClient
UI does not sufficiently encode user-controlled inputs resulting in Cross-Site
Scripting vulnerability. On successful exploitation an attacker can cause
limited impact on confidentiality and integrity of the application.
CVSS Score
6.1
EPSS Score
0.001
Published
2024-07-09
Elements of PDCE does not perform necessary
authorization checks for an authenticated user, resulting in escalation of
privileges.
This
allows an attacker to read sensitive information causing high impact on the
confidentiality of the application.
CVSS Score
7.7
EPSS Score
0.001
Published
2024-07-09
SAP Landscape Management allows an authenticated
user to read confidential data disclosed by the REST Provider Definition
response. Successful exploitation can cause high impact on confidentiality of
the managed entities.
CVSS Score
6.9
EPSS Score
0.001
Published
2024-07-09
Due to weak encoding of user-controlled input in
SAP NetWeaver Knowledge Management XMLEditor which allows malicious scripts can
be executed in the application, potentially leading to a Cross-Site Scripting
(XSS) vulnerability. This has no impact on the availability of the application
but it has a low impact on its confidentiality and integrity.
CVSS Score
6.1
EPSS Score
0.001
Published
2024-07-09
Due to insufficient input validation, SAP
CRM WebClient UI allows an unauthenticated attacker to craft a URL link which
embeds a malicious script. When a victim clicks on this link, the script will
be executed in the victim's browser giving the attacker the ability to access
and/or modify information with no effect on availability of the application.
CVSS Score
6.1
EPSS Score
0.002
Published
2024-07-09