Search

Find a vulnerability

Search criteria

    26 vulnerabilities found for s4core by sap

    CVE-2026-24323 (GCVE-0-2026-24323)

    Vulnerability from nvd – Published: 2026-02-10 03:04 – Updated: 2026-02-10 16:22
    VLAI
    Title
    Multiple vulnerabilities in BSP Applications of SAP Document Management System
    Summary
    The BSP applications allow an unauthenticated user to inject malicious script content via user-controlled URL parameters that are not sufficiently sanitized. When a victim accesses a crafted URL, the injected script is executed in the victim�s browser, leading to a low impact on confidentiality and integrity, and no impact on the availability of the application.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-601 - URL Redirection to Untrusted Site
    Assigner
    sap
    Impacted products
    Vendor Product Version
    SAP_SE SAP Document Management System Affected: SAP_APPL 618
    Affected: S4CORE 102
    Affected: 103
    Affected: 104
    Affected: 105
    Affected: 106
    Affected: 107
    Affected: 108
    Affected: 109
    Affected: EA-APPL 600
    Affected: 602
    Affected: 603
    Affected: 604
    Affected: 605
    Affected: 606
    Affected: 617
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-24323",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-10T16:19:53.737158Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-10T16:22:54.274Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "SAP Document Management System",
              "vendor": "SAP_SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "SAP_APPL 618"
                },
                {
                  "status": "affected",
                  "version": "S4CORE 102"
                },
                {
                  "status": "affected",
                  "version": "103"
                },
                {
                  "status": "affected",
                  "version": "104"
                },
                {
                  "status": "affected",
                  "version": "105"
                },
                {
                  "status": "affected",
                  "version": "106"
                },
                {
                  "status": "affected",
                  "version": "107"
                },
                {
                  "status": "affected",
                  "version": "108"
                },
                {
                  "status": "affected",
                  "version": "109"
                },
                {
                  "status": "affected",
                  "version": "EA-APPL 600"
                },
                {
                  "status": "affected",
                  "version": "602"
                },
                {
                  "status": "affected",
                  "version": "603"
                },
                {
                  "status": "affected",
                  "version": "604"
                },
                {
                  "status": "affected",
                  "version": "605"
                },
                {
                  "status": "affected",
                  "version": "606"
                },
                {
                  "status": "affected",
                  "version": "617"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eThe BSP applications allow an unauthenticated user to inject malicious script content via user-controlled URL parameters that are not sufficiently sanitized. When a victim accesses a crafted URL, the injected script is executed in the victim\ufffds browser, leading to a low impact on confidentiality and integrity, and no impact on the availability of the application.\u003c/p\u003e"
                }
              ],
              "value": "The BSP applications allow an unauthenticated user to inject malicious script content via user-controlled URL parameters that are not sufficiently sanitized. When a victim accesses a crafted URL, the injected script is executed in the victim\ufffds browser, leading to a low impact on confidentiality and integrity, and no impact on the availability of the application."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-601",
                  "description": "CWE-601: URL Redirection to Untrusted Site",
                  "lang": "eng",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-10T03:04:11.848Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "url": "https://me.sap.com/notes/3678417"
            },
            {
              "url": "https://url.sap/sapsecuritypatchday"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Multiple vulnerabilities in BSP Applications of SAP Document Management System",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2026-24323",
        "datePublished": "2026-02-10T03:04:11.848Z",
        "dateReserved": "2026-01-21T22:15:36.672Z",
        "dateUpdated": "2026-02-10T16:22:54.274Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-23688 (GCVE-0-2026-23688)

    Vulnerability from nvd – Published: 2026-02-10 03:02 – Updated: 2026-02-10 17:18
    VLAI
    Title
    Missing Authorization check in SAP Fiori App (Manage Service Entry Sheets - Lean Services)
    Summary
    SAP Fiori App Manage Service Entry Sheets does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This has low impact on integrity, confidentiality and availability are not impacted.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    sap
    Impacted products
    Vendor Product Version
    SAP_SE SAP Fiori App (Manage Service Entry Sheets - Lean Services) Affected: S4CORE 102
    Affected: 103
    Affected: 104
    Affected: 105
    Affected: 106
    Affected: 107
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-23688",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-10T17:18:26.924360Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-10T17:18:34.212Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "SAP Fiori App (Manage Service Entry Sheets - Lean Services)",
              "vendor": "SAP_SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "S4CORE 102"
                },
                {
                  "status": "affected",
                  "version": "103"
                },
                {
                  "status": "affected",
                  "version": "104"
                },
                {
                  "status": "affected",
                  "version": "105"
                },
                {
                  "status": "affected",
                  "version": "106"
                },
                {
                  "status": "affected",
                  "version": "107"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eSAP Fiori App Manage Service Entry Sheets does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This has low impact on integrity, confidentiality and availability are not impacted.\u003c/p\u003e"
                }
              ],
              "value": "SAP Fiori App Manage Service Entry Sheets does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This has low impact on integrity, confidentiality and availability are not impacted."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "eng",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-10T03:02:58.702Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "url": "https://me.sap.com/notes/3215823"
            },
            {
              "url": "https://url.sap/sapsecuritypatchday"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Missing Authorization check in SAP Fiori App (Manage Service Entry Sheets - Lean Services)",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2026-23688",
        "datePublished": "2026-02-10T03:02:58.702Z",
        "dateReserved": "2026-01-14T18:26:17.297Z",
        "dateUpdated": "2026-02-10T17:18:34.212Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-0505 (GCVE-0-2026-0505)

    Vulnerability from nvd – Published: 2026-02-10 03:01 – Updated: 2026-02-10 16:28
    VLAI
    Title
    Multiple vulnerabilities in BSP Applications of SAP Document Management System
    Summary
    The BSP applications allow an unauthenticated user to manipulate user-controlled URL parameters that are not sufficiently validated. This could result in unvalidated redirection to attacker-controlled websites, leading to a low impact on confidentiality and integrity, and no impact on the availability of the application.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation
    Assigner
    sap
    Impacted products
    Vendor Product Version
    SAP_SE SAP Document Management System Affected: SAP_APPL 618
    Affected: S4CORE 102
    Affected: 103
    Affected: 104
    Affected: 105
    Affected: 106
    Affected: 107
    Affected: 108
    Affected: 109
    Affected: EA-APPL 600
    Affected: 602
    Affected: 603
    Affected: 604
    Affected: 605
    Affected: 606
    Affected: 617
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-0505",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-10T16:28:21.921328Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-10T16:28:31.245Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "SAP Document Management System",
              "vendor": "SAP_SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "SAP_APPL 618"
                },
                {
                  "status": "affected",
                  "version": "S4CORE 102"
                },
                {
                  "status": "affected",
                  "version": "103"
                },
                {
                  "status": "affected",
                  "version": "104"
                },
                {
                  "status": "affected",
                  "version": "105"
                },
                {
                  "status": "affected",
                  "version": "106"
                },
                {
                  "status": "affected",
                  "version": "107"
                },
                {
                  "status": "affected",
                  "version": "108"
                },
                {
                  "status": "affected",
                  "version": "109"
                },
                {
                  "status": "affected",
                  "version": "EA-APPL 600"
                },
                {
                  "status": "affected",
                  "version": "602"
                },
                {
                  "status": "affected",
                  "version": "603"
                },
                {
                  "status": "affected",
                  "version": "604"
                },
                {
                  "status": "affected",
                  "version": "605"
                },
                {
                  "status": "affected",
                  "version": "606"
                },
                {
                  "status": "affected",
                  "version": "617"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eThe BSP applications allow an unauthenticated user to manipulate user-controlled URL parameters that are not sufficiently validated. This could result in unvalidated redirection to attacker-controlled websites, leading to a low impact on confidentiality and integrity, and no impact on the availability of the application.\u003c/p\u003e"
                }
              ],
              "value": "The BSP applications allow an unauthenticated user to manipulate user-controlled URL parameters that are not sufficiently validated. This could result in unvalidated redirection to attacker-controlled websites, leading to a low impact on confidentiality and integrity, and no impact on the availability of the application."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation",
                  "lang": "eng",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-10T03:01:30.818Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "url": "https://me.sap.com/notes/3678417"
            },
            {
              "url": "https://url.sap/sapsecuritypatchday"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Multiple vulnerabilities in BSP Applications of SAP Document Management System",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2026-0505",
        "datePublished": "2026-02-10T03:01:30.818Z",
        "dateReserved": "2025-12-09T22:06:45.302Z",
        "dateUpdated": "2026-02-10T16:28:31.245Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-37172 (GCVE-0-2024-37172)

    Vulnerability from nvd – Published: 2024-07-09 04:15 – Updated: 2024-08-02 03:50
    VLAI
    Title
    [CVE-2024-37172] Missing Authorization check in SAP S/4HANA Finance (Advanced Payment Management)
    Summary
    SAP S/4HANA Finance (Advanced Payment Management) does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges. As a result, it has a low impact to confidentiality and availability but there is no impact on the integrity.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    sap
    Impacted products
    Vendor Product Version
    SAP_SE SAP S/4HANA Finance (Advanced Payment Management) Affected: S4CORE 107
    Affected: S4CORE 108
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-37172",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-09T15:16:10.095214Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-09T15:16:18.449Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T03:50:54.731Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://url.sap/sapsecuritypatchday"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://me.sap.com/notes/3457354"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "SAP S/4HANA Finance (Advanced Payment Management)",
              "vendor": "SAP_SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "S4CORE 107"
                },
                {
                  "status": "affected",
                  "version": "S4CORE 108"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "SAP S/4HANA Finance (Advanced Payment\nManagement) does not perform necessary authorization check for an authenticated\nuser, resulting in escalation of privileges. As a result, it has a low impact\nto confidentiality and availability but there is no impact on the integrity.\n\n\n\n"
                }
              ],
              "value": "SAP S/4HANA Finance (Advanced Payment\nManagement) does not perform necessary authorization check for an authenticated\nuser, resulting in escalation of privileges. As a result, it has a low impact\nto confidentiality and availability but there is no impact on the integrity."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-09T04:15:22.833Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "url": "https://url.sap/sapsecuritypatchday"
            },
            {
              "url": "https://me.sap.com/notes/3457354"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "[CVE-2024-37172] Missing Authorization check in SAP S/4HANA Finance (Advanced Payment Management)",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2024-37172",
        "datePublished": "2024-07-09T04:15:22.833Z",
        "dateReserved": "2024-06-04T07:49:42.491Z",
        "dateUpdated": "2024-08-02T03:50:54.731Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-39592 (GCVE-0-2024-39592)

    Vulnerability from nvd – Published: 2024-07-09 03:45 – Updated: 2024-08-02 04:26
    VLAI
    Title
    [CVE-2024-39592] Missing Authorization check in SAP PDCE
    Summary
    Elements of PDCE does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This allows an attacker to read sensitive information causing high impact on the confidentiality of the application.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    sap
    Impacted products
    Vendor Product Version
    SAP_SE SAP PDCE Affected: S4CORE 102
    Affected: S4CORE 103
    Affected: S4COREOP 104
    Affected: S4COREOP 105
    Affected: S4COREOP 106
    Affected: S4COREOP 107
    Affected: S4COREOP 108
    Create a notification for this product.
    sap_se sap_pdce Affected: S4CORE 102
    Affected: S4CORE 103
    Affected: S4COREOP 104
    Affected: S4COREOP 105
    Affected: S4COREOP 106
    Affected: S4COREOP 107
    Affected: S4COREOP 108
        cpe:2.3:a:sap_se:sap_pdce:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:sap_se:sap_pdce:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "sap_pdce",
                "vendor": "sap_se",
                "versions": [
                  {
                    "status": "affected",
                    "version": "S4CORE 102"
                  },
                  {
                    "status": "affected",
                    "version": "S4CORE 103"
                  },
                  {
                    "status": "affected",
                    "version": "S4COREOP 104"
                  },
                  {
                    "status": "affected",
                    "version": "S4COREOP 105"
                  },
                  {
                    "status": "affected",
                    "version": "S4COREOP 106"
                  },
                  {
                    "status": "affected",
                    "version": "S4COREOP 107"
                  },
                  {
                    "status": "affected",
                    "version": "S4COREOP 108"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-39592",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-24T18:22:20.617499Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-24T18:33:09.047Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T04:26:15.969Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://url.sap/sapsecuritypatchday"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://me.sap.com/notes/3483344"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "SAP PDCE",
              "vendor": "SAP_SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "S4CORE 102"
                },
                {
                  "status": "affected",
                  "version": "S4CORE 103"
                },
                {
                  "status": "affected",
                  "version": "S4COREOP 104"
                },
                {
                  "status": "affected",
                  "version": "S4COREOP 105"
                },
                {
                  "status": "affected",
                  "version": "S4COREOP 106"
                },
                {
                  "status": "affected",
                  "version": "S4COREOP 107"
                },
                {
                  "status": "affected",
                  "version": "S4COREOP 108"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eElements of PDCE does not perform necessary\nauthorization checks for an authenticated user, resulting in escalation of\nprivileges.\u003c/p\u003e\n\nThis\nallows an attacker to read sensitive information causing high impact on the\nconfidentiality of the application.\n\n\n\n"
                }
              ],
              "value": "Elements of PDCE does not perform necessary\nauthorization checks for an authenticated user, resulting in escalation of\nprivileges.\n\n\n\nThis\nallows an attacker to read sensitive information causing high impact on the\nconfidentiality of the application."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-09T03:45:56.018Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "url": "https://url.sap/sapsecuritypatchday"
            },
            {
              "url": "https://me.sap.com/notes/3483344"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "[CVE-2024-39592] Missing Authorization check in SAP PDCE",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2024-39592",
        "datePublished": "2024-07-09T03:45:56.018Z",
        "dateReserved": "2024-06-26T09:58:24.095Z",
        "dateUpdated": "2024-08-02T04:26:15.969Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-40625 (GCVE-0-2023-40625)

    Vulnerability from nvd – Published: 2023-09-12 02:00 – Updated: 2024-09-25 15:28
    VLAI
    Title
    Missing Authorization check in SAP Manage Purchase Contracts App
    Summary
    S4CORE (Manage Purchase Contracts App) - versions 102, 103, 104, 105, 106, 107, does not perform necessary authorization checks for an authenticated user. This could allow an attacker to perform unintended actions resulting in escalation of privileges which has low impact on confidentiality and integrity with no impact on availibility of the system.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    sap
    Impacted products
    Vendor Product Version
    SAP_SE SAP Manage Purchase Contracts App Affected: S4CORE 102
    Affected: S4CORE 103
    Affected: S4CORE 104
    Affected: S4CORE 105
    Affected: S4CORE 106
    Affected: S4CORE 107
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T18:38:51.007Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://me.sap.com/notes/3326361"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-40625",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-25T15:06:14.215597Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-25T15:28:24.390Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "SAP Manage Purchase Contracts App",
              "vendor": "SAP_SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "S4CORE 102"
                },
                {
                  "status": "affected",
                  "version": "S4CORE 103"
                },
                {
                  "status": "affected",
                  "version": "S4CORE 104"
                },
                {
                  "status": "affected",
                  "version": "S4CORE 105"
                },
                {
                  "status": "affected",
                  "version": "S4CORE 106"
                },
                {
                  "status": "affected",
                  "version": "S4CORE 107"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eS4CORE (Manage Purchase Contracts App) - versions 102, 103, 104, 105, 106, 107, does not perform necessary authorization checks for an authenticated user. This could allow an attacker to perform unintended actions resulting in escalation of privileges which has low impact on confidentiality and integrity with no impact on availibility of the system.\u003c/p\u003e"
                }
              ],
              "value": "S4CORE (Manage Purchase Contracts App) - versions 102, 103, 104, 105, 106, 107, does not perform necessary authorization checks for an authenticated user. This could allow an attacker to perform unintended actions resulting in escalation of privileges which has low impact on confidentiality and integrity with no impact on availibility of the system.\n\n"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "eng",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-09-12T02:00:13.727Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "url": "https://me.sap.com/notes/3326361"
            },
            {
              "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Missing Authorization check in SAP Manage Purchase Contracts App",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2023-40625",
        "datePublished": "2023-09-12T02:00:13.727Z",
        "dateReserved": "2023-08-17T18:10:44.968Z",
        "dateUpdated": "2024-09-25T15:28:24.390Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-35870 (GCVE-0-2023-35870)

    Vulnerability from nvd – Published: 2023-07-11 02:40 – Updated: 2024-10-29 13:43
    VLAI
    Title
    Improper Access Control in SAP S/4HANA (Manage Journal Entry Template)
    Summary
    When creating a journal entry template in SAP S/4HANA (Manage Journal Entry Template) - versions S4CORE 104, 105, 106, 107, an attacker could intercept the save request and change the template, leading to an impact on confidentiality and integrity of the resource. Furthermore, a standard template could be deleted, hence making the resource temporarily unavailable.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-732 - Incorrect Permission Assignment for Critical Resource
    Assigner
    sap
    Impacted products
    Vendor Product Version
    SAP_SE SAP S/4HANA (Manage Journal Entry Template) Affected: S4CORE 104
    Affected: 105
    Affected: 106
    Affected: 107
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T16:30:45.390Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://me.sap.com/notes/3341211"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-35870",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-25T18:38:35.831454Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-29T13:43:24.084Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "SAP S/4HANA (Manage Journal Entry Template)",
              "vendor": "SAP_SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "S4CORE 104"
                },
                {
                  "status": "affected",
                  "version": "105"
                },
                {
                  "status": "affected",
                  "version": "106"
                },
                {
                  "status": "affected",
                  "version": "107"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eWhen creating a journal entry template in SAP S/4HANA (Manage Journal Entry Template) - versions S4CORE 104, 105, 106, 107, an attacker could intercept the save request and change the template, leading to an impact on confidentiality and integrity of the resource. Furthermore, a standard template could be deleted, hence making the resource temporarily unavailable.\u003c/p\u003e"
                }
              ],
              "value": "When creating a journal entry template in SAP S/4HANA (Manage Journal Entry Template) - versions S4CORE 104, 105, 106, 107, an attacker could intercept the save request and change the template, leading to an impact on confidentiality and integrity of the resource. Furthermore, a standard template could be deleted, hence making the resource temporarily unavailable."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-732",
                  "description": "CWE-732: Incorrect Permission Assignment for Critical Resource",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-28T21:59:09.148Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "url": "https://me.sap.com/notes/3341211"
            },
            {
              "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Improper Access Control in SAP S/4HANA (Manage Journal Entry Template)",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2023-35870",
        "datePublished": "2023-07-11T02:40:26.084Z",
        "dateReserved": "2023-06-19T10:27:44.579Z",
        "dateUpdated": "2024-10-29T13:43:24.084Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-32112 (GCVE-0-2023-32112)

    Vulnerability from nvd – Published: 2023-05-09 01:42 – Updated: 2025-01-28 19:00
    VLAI
    Title
    Missing Authorization Check in Vendor Master Hierarchy
    Summary
    Vendor Master Hierarchy - versions SAP_APPL 500, SAP_APPL 600, SAP_APPL 602, SAP_APPL 603, SAP_APPL 604, SAP_APPL 605, SAP_APPL 606, SAP_APPL 616, SAP_APPL 617, SAP_APPL 618, S4CORE 100, does not perform necessary authorization checks for an authenticated user to access some of its function. This could lead to modification of data impacting the integrity of the system.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    sap
    Impacted products
    Vendor Product Version
    SAP_SE Vendor Master Hierarchy Affected: SAP_APPL 500
    Affected: SAP_APPL 600
    Affected: SAP_APPL 602
    Affected: SAP_APPL 603
    Affected: SAP_APPL 604
    Affected: SAP_APPL 605
    Affected: SAP_APPL 606
    Affected: SAP_APPL 616
    Affected: SAP_APPL 617
    Affected: SAP_APPL 618
    Affected: S4CORE 100
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T15:03:28.988Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://launchpad.support.sap.com/#/notes/2335198"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-32112",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-28T19:00:42.564406Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-28T19:00:52.594Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Vendor Master Hierarchy",
              "vendor": "SAP_SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "SAP_APPL 500"
                },
                {
                  "status": "affected",
                  "version": "SAP_APPL 600"
                },
                {
                  "status": "affected",
                  "version": "SAP_APPL 602"
                },
                {
                  "status": "affected",
                  "version": "SAP_APPL 603"
                },
                {
                  "status": "affected",
                  "version": "SAP_APPL 604"
                },
                {
                  "status": "affected",
                  "version": "SAP_APPL 605"
                },
                {
                  "status": "affected",
                  "version": "SAP_APPL 606"
                },
                {
                  "status": "affected",
                  "version": "SAP_APPL 616"
                },
                {
                  "status": "affected",
                  "version": "SAP_APPL 617"
                },
                {
                  "status": "affected",
                  "version": "SAP_APPL 618"
                },
                {
                  "status": "affected",
                  "version": "S4CORE 100"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eVendor Master Hierarchy - versions SAP_APPL 500, SAP_APPL 600, SAP_APPL 602, SAP_APPL 603, SAP_APPL 604, SAP_APPL 605, SAP_APPL 606, SAP_APPL 616, SAP_APPL 617, SAP_APPL 618, S4CORE 100, does not perform necessary authorization checks for an authenticated user to\u00a0access some of its function. This could lead to modification of data impacting the integrity of the system.\u003c/p\u003e"
                }
              ],
              "value": "Vendor Master Hierarchy - versions SAP_APPL 500, SAP_APPL 600, SAP_APPL 602, SAP_APPL 603, SAP_APPL 604, SAP_APPL 605, SAP_APPL 606, SAP_APPL 616, SAP_APPL 617, SAP_APPL 618, S4CORE 100, does not perform necessary authorization checks for an authenticated user to\u00a0access some of its function. This could lead to modification of data impacting the integrity of the system.\n\n"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 2.8,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "eng",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-05-09T01:46:29.784Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "url": "https://launchpad.support.sap.com/#/notes/2335198"
            },
            {
              "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Missing Authorization Check in Vendor Master Hierarchy",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2023-32112",
        "datePublished": "2023-05-09T01:42:23.289Z",
        "dateReserved": "2023-05-03T14:48:13.764Z",
        "dateUpdated": "2025-01-28T19:00:52.594Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-29110 (GCVE-0-2023-29110)

    Vulnerability from nvd – Published: 2023-04-11 03:00 – Updated: 2025-02-07 17:13
    VLAI
    Title
    Code Injection vulnerability in SAP Application Interface Framework (Message Dashboard)
    Summary
    The SAP Application Interface (Message Dashboard) - versions AIF 703, AIFX 702, S4CORE 100, 101, SAP_BASIS 755, 756, SAP_ABA 75C, 75D, 75E, application allows the usage HTML tags. An authorized attacker can use some of the basic HTML codes such as heading, basic formatting and lists, then an attacker can inject images from the foreign domains. After successful exploitations, an attacker can cause limited impact on the confidentiality and integrity of the application.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
    Assigner
    sap
    Impacted products
    Vendor Product Version
    SAP Application Interface Framework (Message Dashboard) Affected: AIF 703
    Affected: AIFX 702
    Affected: S4CORE 100
    Affected: S4CORE 101
    Affected: SAP_BASIS 755
    Affected: SAP_BASIS 756
    Affected: SAP_ABA 75C
    Affected: SAP_ABA 75D
    Affected: SAP_ABA 75E
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T14:00:15.878Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://launchpad.support.sap.com/#/notes/3113349"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-29110",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-07T17:13:12.939238Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-07T17:13:23.603Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Application Interface Framework (Message Dashboard)",
              "vendor": "SAP",
              "versions": [
                {
                  "status": "affected",
                  "version": "AIF 703"
                },
                {
                  "status": "affected",
                  "version": "AIFX 702"
                },
                {
                  "status": "affected",
                  "version": "S4CORE 100"
                },
                {
                  "status": "affected",
                  "version": "S4CORE 101"
                },
                {
                  "status": "affected",
                  "version": "SAP_BASIS 755"
                },
                {
                  "status": "affected",
                  "version": "SAP_BASIS 756"
                },
                {
                  "status": "affected",
                  "version": "SAP_ABA 75C"
                },
                {
                  "status": "affected",
                  "version": "SAP_ABA 75D"
                },
                {
                  "status": "affected",
                  "version": "SAP_ABA 75E"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eThe SAP Application Interface (Message Dashboard) - versions AIF 703, AIFX 702, S4CORE 100, 101, SAP_BASIS 755, 756, SAP_ABA 75C, 75D, 75E, application allows the usage HTML tags. An authorized attacker can use some of the basic HTML codes such as heading, basic formatting and lists, then an attacker can inject images from the foreign domains. After successful exploitations, an attacker can cause limited impact on the confidentiality and integrity of the application.\u003c/p\u003e"
                }
              ],
              "value": "The SAP Application Interface (Message Dashboard) - versions AIF 703, AIFX 702, S4CORE 100, 101, SAP_BASIS 755, 756, SAP_ABA 75C, 75D, 75E, application allows the usage HTML tags. An authorized attacker can use some of the basic HTML codes such as heading, basic formatting and lists, then an attacker can inject images from the foreign domains. After successful exploitations, an attacker can cause limited impact on the confidentiality and integrity of the application.\n\n"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.7,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-80",
                  "description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
                  "lang": "eng",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-04-11T20:17:48.094Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "url": "https://launchpad.support.sap.com/#/notes/3113349"
            },
            {
              "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Code Injection vulnerability in SAP Application Interface Framework (Message Dashboard)",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2023-29110",
        "datePublished": "2023-04-11T03:00:17.210Z",
        "dateReserved": "2023-03-31T10:01:53.360Z",
        "dateUpdated": "2025-02-07T17:13:23.603Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-29109 (GCVE-0-2023-29109)

    Vulnerability from nvd – Published: 2023-04-11 02:58 – Updated: 2025-02-07 16:52
    VLAI
    Title
    Code Injection vulnerability in SAP Application Interface Framework (Message Dashboard)
    Summary
    The SAP Application Interface Framework (Message Dashboard) - versions AIF 703, AIFX 702, S4CORE 101, SAP_BASIS 755, 756, SAP_ABA 75C, 75D, 75E, application allows an Excel formula injection. An authorized attacker can inject arbitrary Excel formulas into fields like the Tooltip of the Custom Hints List. Once the victim opens the downloaded Excel document, the formula will be executed. As a result, an attacker can cause limited impact on the confidentiality and integrity of the application.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1236 - Improper Neutralization of Formula Elements in a CSV File
    Assigner
    sap
    Impacted products
    Vendor Product Version
    SAP Application Interface Framework (Message Dashboard) Affected: AIF 703
    Affected: AIFX 702
    Affected: S4CORE 101
    Affected: SAP_BASIS 755
    Affected: SAP_BASIS 756
    Affected: SAP_ABA 75C
    Affected: SAP_ABA 75D
    Affected: SAP_ABA 75E
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T14:00:15.862Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://launchpad.support.sap.com/#/notes/3115598"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-29109",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-07T16:52:01.499322Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-07T16:52:14.949Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Application Interface Framework (Message Dashboard)",
              "vendor": "SAP",
              "versions": [
                {
                  "status": "affected",
                  "version": "AIF 703"
                },
                {
                  "status": "affected",
                  "version": "AIFX 702"
                },
                {
                  "status": "affected",
                  "version": "S4CORE 101"
                },
                {
                  "status": "affected",
                  "version": "SAP_BASIS 755"
                },
                {
                  "status": "affected",
                  "version": "SAP_BASIS 756"
                },
                {
                  "status": "affected",
                  "version": "SAP_ABA 75C"
                },
                {
                  "status": "affected",
                  "version": "SAP_ABA 75D"
                },
                {
                  "status": "affected",
                  "version": "SAP_ABA 75E"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eThe SAP Application Interface Framework (Message Dashboard) - versions AIF 703, AIFX 702, S4CORE 101, SAP_BASIS 755, 756, SAP_ABA 75C, 75D, 75E, application allows an Excel formula injection. An authorized attacker can inject arbitrary Excel formulas into fields like the Tooltip of the Custom Hints List. Once the victim opens the downloaded Excel document, the formula will be executed. As a result, an attacker can cause limited impact on the confidentiality and integrity of the application.\u003c/p\u003e"
                }
              ],
              "value": "The SAP Application Interface Framework (Message Dashboard) - versions AIF 703, AIFX 702, S4CORE 101, SAP_BASIS 755, 756, SAP_ABA 75C, 75D, 75E, application allows an Excel formula injection. An authorized attacker can inject arbitrary Excel formulas into fields like the Tooltip of the Custom Hints List. Once the victim opens the downloaded Excel document, the formula will be executed. As a result, an attacker can cause limited impact on the confidentiality and integrity of the application.\n\n"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1236",
                  "description": "CWE-1236: Improper Neutralization of Formula Elements in a CSV File",
                  "lang": "eng",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-04-11T20:17:39.130Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "url": "https://launchpad.support.sap.com/#/notes/3115598"
            },
            {
              "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Code Injection vulnerability in SAP Application Interface Framework (Message Dashboard)",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2023-29109",
        "datePublished": "2023-04-11T02:58:49.648Z",
        "dateReserved": "2023-03-31T10:01:53.360Z",
        "dateUpdated": "2025-02-07T16:52:14.949Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-33701 (GCVE-0-2021-33701)

    Vulnerability from nvd – Published: 2021-09-15 18:01 – Updated: 2024-08-03 23:58
    VLAI
    Summary
    DMIS Mobile Plug-In or SAP S/4HANA, versions - DMIS 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 710, 2011_1_731, 710, 2011_1_752, 2020, SAPSCORE 125, S4CORE 102, 102, 103, 104, 105, allows an attacker with access to highly privileged account to execute manipulated query in NDZT tool to gain access to Superuser account, leading to SQL Injection vulnerability, that highly impacts systems Confidentiality, Integrity and Availability.
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection�)
    Assigner
    sap
    Impacted products
    Vendor Product Version
    SAP SE DMIS Mobile Plug-In Affected: < DMIS 2011_1_620
    Affected: < 2011_1_640
    Affected: < 2011_1_700
    Affected: < 2011_1_710
    Affected: < 2011_1_730
    Affected: < 710
    Affected: < 2011_1_731
    Affected: < 2011_1_752
    Affected: < 2020
    Create a notification for this product.
    SAP SE SAP S/4HANA Affected: < SAPSCORE 125
    Affected: < S4CORE 102
    Affected: < 102
    Affected: < 103
    Affected: < 104
    Affected: < 105
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T23:58:22.494Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://launchpad.support.sap.com/#/notes/3078312"
              },
              {
                "name": "20211214 SEC Consult SA-20211214-1 :: Remote ABAP Code Injection in SAP Netweaver IUUC_RECON_RC_COUNT_TABLE_BIG",
                "tags": [
                  "mailing-list",
                  "x_refsource_FULLDISC",
                  "x_transferred"
                ],
                "url": "http://seclists.org/fulldisclosure/2021/Dec/36"
              },
              {
                "name": "20211214 SEC Consult SA-20211214-0 :: Remote ADBC SQL Injection in SAP Netweaver IUUC_RECON_RC_COUNT_TABLE_BIG",
                "tags": [
                  "mailing-list",
                  "x_refsource_FULLDISC",
                  "x_transferred"
                ],
                "url": "http://seclists.org/fulldisclosure/2021/Dec/35"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "http://packetstormsecurity.com/files/165303/SAP-Netweaver-IUUC_RECON_RC_COUNT_TABLE_BIG-SQL-Injection.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "http://packetstormsecurity.com/files/165304/SAP-Netweaver-IUUC_RECON_RC_COUNT_TABLE_BIG-ABAP-Code-Injection.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "DMIS Mobile Plug-In",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c DMIS 2011_1_620"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2011_1_640"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2011_1_700"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2011_1_710"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2011_1_730"
                },
                {
                  "status": "affected",
                  "version": "\u003c 710"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2011_1_731"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2011_1_752"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2020"
                }
              ]
            },
            {
              "product": "SAP S/4HANA",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c SAPSCORE 125"
                },
                {
                  "status": "affected",
                  "version": "\u003c S4CORE 102"
                },
                {
                  "status": "affected",
                  "version": "\u003c 102"
                },
                {
                  "status": "affected",
                  "version": "\u003c 103"
                },
                {
                  "status": "affected",
                  "version": "\u003c 104"
                },
                {
                  "status": "affected",
                  "version": "\u003c 105"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "DMIS Mobile Plug-In or SAP S/4HANA, versions - DMIS 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 710, 2011_1_731, 710, 2011_1_752, 2020, SAPSCORE 125, S4CORE 102, 102, 103, 104, 105, allows an attacker with access to highly privileged account to execute manipulated query in NDZT tool to gain access to Superuser account, leading to SQL Injection vulnerability, that highly impacts systems Confidentiality, Integrity and Availability."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\ufffd)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-12-15T17:06:24.000Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://launchpad.support.sap.com/#/notes/3078312"
            },
            {
              "name": "20211214 SEC Consult SA-20211214-1 :: Remote ABAP Code Injection in SAP Netweaver IUUC_RECON_RC_COUNT_TABLE_BIG",
              "tags": [
                "mailing-list",
                "x_refsource_FULLDISC"
              ],
              "url": "http://seclists.org/fulldisclosure/2021/Dec/36"
            },
            {
              "name": "20211214 SEC Consult SA-20211214-0 :: Remote ADBC SQL Injection in SAP Netweaver IUUC_RECON_RC_COUNT_TABLE_BIG",
              "tags": [
                "mailing-list",
                "x_refsource_FULLDISC"
              ],
              "url": "http://seclists.org/fulldisclosure/2021/Dec/35"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "http://packetstormsecurity.com/files/165303/SAP-Netweaver-IUUC_RECON_RC_COUNT_TABLE_BIG-SQL-Injection.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "http://packetstormsecurity.com/files/165304/SAP-Netweaver-IUUC_RECON_RC_COUNT_TABLE_BIG-ABAP-Code-Injection.html"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cna@sap.com",
              "ID": "CVE-2021-33701",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "DMIS Mobile Plug-In",
                          "version": {
                            "version_data": [
                              {
                                "version_name": "\u003c",
                                "version_value": "DMIS 2011_1_620"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "2011_1_640"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "2011_1_700"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "2011_1_710"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "2011_1_730"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "710"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "2011_1_731"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "710"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "2011_1_752"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "2020"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "SAP S/4HANA",
                          "version": {
                            "version_data": [
                              {
                                "version_name": "\u003c",
                                "version_value": "SAPSCORE 125"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "S4CORE 102"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "102"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "103"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "104"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "105"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "SAP SE"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "DMIS Mobile Plug-In or SAP S/4HANA, versions - DMIS 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 710, 2011_1_731, 710, 2011_1_752, 2020, SAPSCORE 125, S4CORE 102, 102, 103, 104, 105, allows an attacker with access to highly privileged account to execute manipulated query in NDZT tool to gain access to Superuser account, leading to SQL Injection vulnerability, that highly impacts systems Confidentiality, Integrity and Availability."
                }
              ]
            },
            "impact": {
              "cvss": {
                "baseScore": "9.1",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\ufffd)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806",
                  "refsource": "MISC",
                  "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806"
                },
                {
                  "name": "https://launchpad.support.sap.com/#/notes/3078312",
                  "refsource": "MISC",
                  "url": "https://launchpad.support.sap.com/#/notes/3078312"
                },
                {
                  "name": "20211214 SEC Consult SA-20211214-1 :: Remote ABAP Code Injection in SAP Netweaver IUUC_RECON_RC_COUNT_TABLE_BIG",
                  "refsource": "FULLDISC",
                  "url": "http://seclists.org/fulldisclosure/2021/Dec/36"
                },
                {
                  "name": "20211214 SEC Consult SA-20211214-0 :: Remote ADBC SQL Injection in SAP Netweaver IUUC_RECON_RC_COUNT_TABLE_BIG",
                  "refsource": "FULLDISC",
                  "url": "http://seclists.org/fulldisclosure/2021/Dec/35"
                },
                {
                  "name": "http://packetstormsecurity.com/files/165303/SAP-Netweaver-IUUC_RECON_RC_COUNT_TABLE_BIG-SQL-Injection.html",
                  "refsource": "MISC",
                  "url": "http://packetstormsecurity.com/files/165303/SAP-Netweaver-IUUC_RECON_RC_COUNT_TABLE_BIG-SQL-Injection.html"
                },
                {
                  "name": "http://packetstormsecurity.com/files/165304/SAP-Netweaver-IUUC_RECON_RC_COUNT_TABLE_BIG-ABAP-Code-Injection.html",
                  "refsource": "MISC",
                  "url": "http://packetstormsecurity.com/files/165304/SAP-Netweaver-IUUC_RECON_RC_COUNT_TABLE_BIG-ABAP-Code-Injection.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2021-33701",
        "datePublished": "2021-09-15T18:01:55.000Z",
        "dateReserved": "2021-05-28T00:00:00.000Z",
        "dateUpdated": "2024-08-03T23:58:22.494Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-2484 (GCVE-0-2018-2484)

    Vulnerability from nvd – Published: 2019-01-08 20:00 – Updated: 2024-08-05 04:21
    VLAI
    Summary
    SAP Enterprise Financial Services (fixed in SAPSCORE 1.13, 1.14, 1.15; S4CORE 1.01, 1.02, 1.03; EA-FINSERV 1.10, 2.0, 5.0, 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0; Bank/CFM 4.63_20) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.
    Severity
    No CVSS data available.
    CWE
    • Missing Authorization Check
    Assigner
    sap
    References
    Impacted products
    Vendor Product Version
    SAP SE SAP Enterprise Financial Services (SAPSCORE) Affected: < 1.13
    Affected: < 1.14
    Affected: < 1.15
    Create a notification for this product.
    SAP SE SAP Enterprise Financial Services (S4CORE) Affected: < 1.01
    Affected: < 1.02
    Affected: < 1.03
    Create a notification for this product.
    SAP SE SAP Enterprise Financial Services (EA-FINSERV) Affected: < 1.10
    Affected: < 2.0
    Affected: < 5.0
    Affected: < 6.0
    Affected: < 6.03
    Affected: < 6.04
    Affected: < 6.05
    Affected: < 6.06
    Affected: < 6.16
    Affected: < 6.17
    Affected: < 6.18
    Affected: < 8.0
    Create a notification for this product.
    SAP SE SAP Enterprise Financial Services (Bank/CFM) Affected: < 4.63_20
    Create a notification for this product.
    Date Public
    2019-01-08 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T04:21:33.945Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://launchpad.support.sap.com/#/notes/2662687"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985"
              },
              {
                "name": "106477",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/106477"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SAP Enterprise Financial Services (SAPSCORE)",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.13"
                },
                {
                  "status": "affected",
                  "version": "\u003c 1.14"
                },
                {
                  "status": "affected",
                  "version": "\u003c 1.15"
                }
              ]
            },
            {
              "product": "SAP Enterprise Financial Services (S4CORE)",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.01"
                },
                {
                  "status": "affected",
                  "version": "\u003c 1.02"
                },
                {
                  "status": "affected",
                  "version": "\u003c 1.03"
                }
              ]
            },
            {
              "product": "SAP Enterprise Financial Services (EA-FINSERV)",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.10"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2.0"
                },
                {
                  "status": "affected",
                  "version": "\u003c 5.0"
                },
                {
                  "status": "affected",
                  "version": "\u003c 6.0"
                },
                {
                  "status": "affected",
                  "version": "\u003c 6.03"
                },
                {
                  "status": "affected",
                  "version": "\u003c 6.04"
                },
                {
                  "status": "affected",
                  "version": "\u003c 6.05"
                },
                {
                  "status": "affected",
                  "version": "\u003c 6.06"
                },
                {
                  "status": "affected",
                  "version": "\u003c 6.16"
                },
                {
                  "status": "affected",
                  "version": "\u003c 6.17"
                },
                {
                  "status": "affected",
                  "version": "\u003c 6.18"
                },
                {
                  "status": "affected",
                  "version": "\u003c 8.0"
                }
              ]
            },
            {
              "product": "SAP Enterprise Financial Services (Bank/CFM)",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 4.63_20"
                }
              ]
            }
          ],
          "datePublic": "2019-01-08T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "SAP Enterprise Financial Services (fixed in SAPSCORE 1.13, 1.14, 1.15; S4CORE 1.01, 1.02, 1.03; EA-FINSERV 1.10, 2.0, 5.0, 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0; Bank/CFM 4.63_20) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Missing Authorization Check",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-01-09T10:57:01.000Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://launchpad.support.sap.com/#/notes/2662687"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985"
            },
            {
              "name": "106477",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/106477"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cna@sap.com",
              "ID": "CVE-2018-2484",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SAP Enterprise Financial Services (SAPSCORE)",
                          "version": {
                            "version_data": [
                              {
                                "version_name": "\u003c",
                                "version_value": "1.13"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "1.14"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "1.15"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "SAP Enterprise Financial Services (S4CORE)",
                          "version": {
                            "version_data": [
                              {
                                "version_name": "\u003c",
                                "version_value": "1.01"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "1.02"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "1.03"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "SAP Enterprise Financial Services (EA-FINSERV)",
                          "version": {
                            "version_data": [
                              {
                                "version_name": "\u003c",
                                "version_value": "1.10"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "2.0"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "5.0"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "6.0"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "6.03"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "6.04"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "6.05"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "6.06"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "6.16"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "6.17"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "6.18"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "8.0"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "SAP Enterprise Financial Services (Bank/CFM)",
                          "version": {
                            "version_data": [
                              {
                                "version_name": "\u003c",
                                "version_value": "4.63_20"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "SAP SE"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "SAP Enterprise Financial Services (fixed in SAPSCORE 1.13, 1.14, 1.15; S4CORE 1.01, 1.02, 1.03; EA-FINSERV 1.10, 2.0, 5.0, 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0; Bank/CFM 4.63_20) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Missing Authorization Check"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://launchpad.support.sap.com/#/notes/2662687",
                  "refsource": "MISC",
                  "url": "https://launchpad.support.sap.com/#/notes/2662687"
                },
                {
                  "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985",
                  "refsource": "MISC",
                  "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985"
                },
                {
                  "name": "106477",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/106477"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2018-2484",
        "datePublished": "2019-01-08T20:00:00.000Z",
        "dateReserved": "2017-12-15T00:00:00.000Z",
        "dateUpdated": "2024-08-05T04:21:33.945Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-2419 (GCVE-0-2018-2419)

    Vulnerability from nvd – Published: 2018-05-09 20:00 – Updated: 2024-08-05 04:21
    VLAI
    Summary
    SAP Enterprise Financial Services (SAPSCORE 1.11, 1.12; S4CORE 1.01, 1.02; EA-FINSERV 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.
    CWE
    • Missing Authorization Check
    Assigner
    sap
    References
    Impacted products
    Vendor Product Version
    SAP SE SAP Enterprise Financial Services (SAPSCORE) Affected: 1.11
    Affected: 1.12
    Create a notification for this product.
    SAP SE SAP Enterprise Financial Services (S4CORE) Affected: 1.01
    Affected: 1.02
    Create a notification for this product.
    SAP SE SAP Enterprise Financial Services (EA-FINSERV) Affected: 6.04
    Affected: 6.05
    Affected: 6.06
    Affected: 6.16
    Affected: 6.17
    Affected: 6.18
    Affected: 8.0
    Create a notification for this product.
    Date Public
    2018-05-09 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T04:21:33.627Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://blogs.sap.com/2018/05/08/sap-security-patch-day-may-2018/"
              },
              {
                "name": "104116",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/104116"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://launchpad.support.sap.com/#/notes/2596627"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SAP Enterprise Financial Services (SAPSCORE)",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.11"
                },
                {
                  "status": "affected",
                  "version": "1.12"
                }
              ]
            },
            {
              "product": "SAP Enterprise Financial Services (S4CORE)",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.01"
                },
                {
                  "status": "affected",
                  "version": "1.02"
                }
              ]
            },
            {
              "product": "SAP Enterprise Financial Services (EA-FINSERV)",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "6.04"
                },
                {
                  "status": "affected",
                  "version": "6.05"
                },
                {
                  "status": "affected",
                  "version": "6.06"
                },
                {
                  "status": "affected",
                  "version": "6.16"
                },
                {
                  "status": "affected",
                  "version": "6.17"
                },
                {
                  "status": "affected",
                  "version": "6.18"
                },
                {
                  "status": "affected",
                  "version": "8.0"
                }
              ]
            }
          ],
          "datePublic": "2018-05-09T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "SAP Enterprise Financial Services (SAPSCORE 1.11, 1.12; S4CORE 1.01, 1.02; EA-FINSERV 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.7,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Missing Authorization Check",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-05-10T09:57:01.000Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://blogs.sap.com/2018/05/08/sap-security-patch-day-may-2018/"
            },
            {
              "name": "104116",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/104116"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://launchpad.support.sap.com/#/notes/2596627"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cna@sap.com",
              "ID": "CVE-2018-2419",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SAP Enterprise Financial Services (SAPSCORE)",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "1.11"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "1.12"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "SAP Enterprise Financial Services (S4CORE)",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "1.01"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "1.02"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "SAP Enterprise Financial Services (EA-FINSERV)",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "6.04"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "6.05"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "6.06"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "6.16"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "6.17"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "6.18"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "8.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "SAP SE"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "SAP Enterprise Financial Services (SAPSCORE 1.11, 1.12; S4CORE 1.01, 1.02; EA-FINSERV 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.7,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Missing Authorization Check"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://blogs.sap.com/2018/05/08/sap-security-patch-day-may-2018/",
                  "refsource": "CONFIRM",
                  "url": "https://blogs.sap.com/2018/05/08/sap-security-patch-day-may-2018/"
                },
                {
                  "name": "104116",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/104116"
                },
                {
                  "name": "https://launchpad.support.sap.com/#/notes/2596627",
                  "refsource": "MISC",
                  "url": "https://launchpad.support.sap.com/#/notes/2596627"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2018-2419",
        "datePublished": "2018-05-09T20:00:00.000Z",
        "dateReserved": "2017-12-15T00:00:00.000Z",
        "dateUpdated": "2024-08-05T04:21:33.627Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-24323 (GCVE-0-2026-24323)

    Vulnerability from cvelistv5 – Published: 2026-02-10 03:04 – Updated: 2026-02-10 16:22
    VLAI
    Title
    Multiple vulnerabilities in BSP Applications of SAP Document Management System
    Summary
    The BSP applications allow an unauthenticated user to inject malicious script content via user-controlled URL parameters that are not sufficiently sanitized. When a victim accesses a crafted URL, the injected script is executed in the victim�s browser, leading to a low impact on confidentiality and integrity, and no impact on the availability of the application.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-601 - URL Redirection to Untrusted Site
    Assigner
    sap
    Impacted products
    Vendor Product Version
    SAP_SE SAP Document Management System Affected: SAP_APPL 618
    Affected: S4CORE 102
    Affected: 103
    Affected: 104
    Affected: 105
    Affected: 106
    Affected: 107
    Affected: 108
    Affected: 109
    Affected: EA-APPL 600
    Affected: 602
    Affected: 603
    Affected: 604
    Affected: 605
    Affected: 606
    Affected: 617
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-24323",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-10T16:19:53.737158Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-10T16:22:54.274Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "SAP Document Management System",
              "vendor": "SAP_SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "SAP_APPL 618"
                },
                {
                  "status": "affected",
                  "version": "S4CORE 102"
                },
                {
                  "status": "affected",
                  "version": "103"
                },
                {
                  "status": "affected",
                  "version": "104"
                },
                {
                  "status": "affected",
                  "version": "105"
                },
                {
                  "status": "affected",
                  "version": "106"
                },
                {
                  "status": "affected",
                  "version": "107"
                },
                {
                  "status": "affected",
                  "version": "108"
                },
                {
                  "status": "affected",
                  "version": "109"
                },
                {
                  "status": "affected",
                  "version": "EA-APPL 600"
                },
                {
                  "status": "affected",
                  "version": "602"
                },
                {
                  "status": "affected",
                  "version": "603"
                },
                {
                  "status": "affected",
                  "version": "604"
                },
                {
                  "status": "affected",
                  "version": "605"
                },
                {
                  "status": "affected",
                  "version": "606"
                },
                {
                  "status": "affected",
                  "version": "617"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eThe BSP applications allow an unauthenticated user to inject malicious script content via user-controlled URL parameters that are not sufficiently sanitized. When a victim accesses a crafted URL, the injected script is executed in the victim\ufffds browser, leading to a low impact on confidentiality and integrity, and no impact on the availability of the application.\u003c/p\u003e"
                }
              ],
              "value": "The BSP applications allow an unauthenticated user to inject malicious script content via user-controlled URL parameters that are not sufficiently sanitized. When a victim accesses a crafted URL, the injected script is executed in the victim\ufffds browser, leading to a low impact on confidentiality and integrity, and no impact on the availability of the application."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-601",
                  "description": "CWE-601: URL Redirection to Untrusted Site",
                  "lang": "eng",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-10T03:04:11.848Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "url": "https://me.sap.com/notes/3678417"
            },
            {
              "url": "https://url.sap/sapsecuritypatchday"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Multiple vulnerabilities in BSP Applications of SAP Document Management System",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2026-24323",
        "datePublished": "2026-02-10T03:04:11.848Z",
        "dateReserved": "2026-01-21T22:15:36.672Z",
        "dateUpdated": "2026-02-10T16:22:54.274Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-23688 (GCVE-0-2026-23688)

    Vulnerability from cvelistv5 – Published: 2026-02-10 03:02 – Updated: 2026-02-10 17:18
    VLAI
    Title
    Missing Authorization check in SAP Fiori App (Manage Service Entry Sheets - Lean Services)
    Summary
    SAP Fiori App Manage Service Entry Sheets does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This has low impact on integrity, confidentiality and availability are not impacted.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    sap
    Impacted products
    Vendor Product Version
    SAP_SE SAP Fiori App (Manage Service Entry Sheets - Lean Services) Affected: S4CORE 102
    Affected: 103
    Affected: 104
    Affected: 105
    Affected: 106
    Affected: 107
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-23688",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-10T17:18:26.924360Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-10T17:18:34.212Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "SAP Fiori App (Manage Service Entry Sheets - Lean Services)",
              "vendor": "SAP_SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "S4CORE 102"
                },
                {
                  "status": "affected",
                  "version": "103"
                },
                {
                  "status": "affected",
                  "version": "104"
                },
                {
                  "status": "affected",
                  "version": "105"
                },
                {
                  "status": "affected",
                  "version": "106"
                },
                {
                  "status": "affected",
                  "version": "107"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eSAP Fiori App Manage Service Entry Sheets does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This has low impact on integrity, confidentiality and availability are not impacted.\u003c/p\u003e"
                }
              ],
              "value": "SAP Fiori App Manage Service Entry Sheets does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This has low impact on integrity, confidentiality and availability are not impacted."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "eng",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-10T03:02:58.702Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "url": "https://me.sap.com/notes/3215823"
            },
            {
              "url": "https://url.sap/sapsecuritypatchday"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Missing Authorization check in SAP Fiori App (Manage Service Entry Sheets - Lean Services)",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2026-23688",
        "datePublished": "2026-02-10T03:02:58.702Z",
        "dateReserved": "2026-01-14T18:26:17.297Z",
        "dateUpdated": "2026-02-10T17:18:34.212Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-0505 (GCVE-0-2026-0505)

    Vulnerability from cvelistv5 – Published: 2026-02-10 03:01 – Updated: 2026-02-10 16:28
    VLAI
    Title
    Multiple vulnerabilities in BSP Applications of SAP Document Management System
    Summary
    The BSP applications allow an unauthenticated user to manipulate user-controlled URL parameters that are not sufficiently validated. This could result in unvalidated redirection to attacker-controlled websites, leading to a low impact on confidentiality and integrity, and no impact on the availability of the application.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation
    Assigner
    sap
    Impacted products
    Vendor Product Version
    SAP_SE SAP Document Management System Affected: SAP_APPL 618
    Affected: S4CORE 102
    Affected: 103
    Affected: 104
    Affected: 105
    Affected: 106
    Affected: 107
    Affected: 108
    Affected: 109
    Affected: EA-APPL 600
    Affected: 602
    Affected: 603
    Affected: 604
    Affected: 605
    Affected: 606
    Affected: 617
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-0505",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-10T16:28:21.921328Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-10T16:28:31.245Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "SAP Document Management System",
              "vendor": "SAP_SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "SAP_APPL 618"
                },
                {
                  "status": "affected",
                  "version": "S4CORE 102"
                },
                {
                  "status": "affected",
                  "version": "103"
                },
                {
                  "status": "affected",
                  "version": "104"
                },
                {
                  "status": "affected",
                  "version": "105"
                },
                {
                  "status": "affected",
                  "version": "106"
                },
                {
                  "status": "affected",
                  "version": "107"
                },
                {
                  "status": "affected",
                  "version": "108"
                },
                {
                  "status": "affected",
                  "version": "109"
                },
                {
                  "status": "affected",
                  "version": "EA-APPL 600"
                },
                {
                  "status": "affected",
                  "version": "602"
                },
                {
                  "status": "affected",
                  "version": "603"
                },
                {
                  "status": "affected",
                  "version": "604"
                },
                {
                  "status": "affected",
                  "version": "605"
                },
                {
                  "status": "affected",
                  "version": "606"
                },
                {
                  "status": "affected",
                  "version": "617"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eThe BSP applications allow an unauthenticated user to manipulate user-controlled URL parameters that are not sufficiently validated. This could result in unvalidated redirection to attacker-controlled websites, leading to a low impact on confidentiality and integrity, and no impact on the availability of the application.\u003c/p\u003e"
                }
              ],
              "value": "The BSP applications allow an unauthenticated user to manipulate user-controlled URL parameters that are not sufficiently validated. This could result in unvalidated redirection to attacker-controlled websites, leading to a low impact on confidentiality and integrity, and no impact on the availability of the application."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation",
                  "lang": "eng",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-10T03:01:30.818Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "url": "https://me.sap.com/notes/3678417"
            },
            {
              "url": "https://url.sap/sapsecuritypatchday"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Multiple vulnerabilities in BSP Applications of SAP Document Management System",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2026-0505",
        "datePublished": "2026-02-10T03:01:30.818Z",
        "dateReserved": "2025-12-09T22:06:45.302Z",
        "dateUpdated": "2026-02-10T16:28:31.245Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-37172 (GCVE-0-2024-37172)

    Vulnerability from cvelistv5 – Published: 2024-07-09 04:15 – Updated: 2024-08-02 03:50
    VLAI
    Title
    [CVE-2024-37172] Missing Authorization check in SAP S/4HANA Finance (Advanced Payment Management)
    Summary
    SAP S/4HANA Finance (Advanced Payment Management) does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges. As a result, it has a low impact to confidentiality and availability but there is no impact on the integrity.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    sap
    Impacted products
    Vendor Product Version
    SAP_SE SAP S/4HANA Finance (Advanced Payment Management) Affected: S4CORE 107
    Affected: S4CORE 108
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-37172",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-09T15:16:10.095214Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-09T15:16:18.449Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T03:50:54.731Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://url.sap/sapsecuritypatchday"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://me.sap.com/notes/3457354"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "SAP S/4HANA Finance (Advanced Payment Management)",
              "vendor": "SAP_SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "S4CORE 107"
                },
                {
                  "status": "affected",
                  "version": "S4CORE 108"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "SAP S/4HANA Finance (Advanced Payment\nManagement) does not perform necessary authorization check for an authenticated\nuser, resulting in escalation of privileges. As a result, it has a low impact\nto confidentiality and availability but there is no impact on the integrity.\n\n\n\n"
                }
              ],
              "value": "SAP S/4HANA Finance (Advanced Payment\nManagement) does not perform necessary authorization check for an authenticated\nuser, resulting in escalation of privileges. As a result, it has a low impact\nto confidentiality and availability but there is no impact on the integrity."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-09T04:15:22.833Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "url": "https://url.sap/sapsecuritypatchday"
            },
            {
              "url": "https://me.sap.com/notes/3457354"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "[CVE-2024-37172] Missing Authorization check in SAP S/4HANA Finance (Advanced Payment Management)",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2024-37172",
        "datePublished": "2024-07-09T04:15:22.833Z",
        "dateReserved": "2024-06-04T07:49:42.491Z",
        "dateUpdated": "2024-08-02T03:50:54.731Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-39592 (GCVE-0-2024-39592)

    Vulnerability from cvelistv5 – Published: 2024-07-09 03:45 – Updated: 2024-08-02 04:26
    VLAI
    Title
    [CVE-2024-39592] Missing Authorization check in SAP PDCE
    Summary
    Elements of PDCE does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This allows an attacker to read sensitive information causing high impact on the confidentiality of the application.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    sap
    Impacted products
    Vendor Product Version
    SAP_SE SAP PDCE Affected: S4CORE 102
    Affected: S4CORE 103
    Affected: S4COREOP 104
    Affected: S4COREOP 105
    Affected: S4COREOP 106
    Affected: S4COREOP 107
    Affected: S4COREOP 108
    Create a notification for this product.
    sap_se sap_pdce Affected: S4CORE 102
    Affected: S4CORE 103
    Affected: S4COREOP 104
    Affected: S4COREOP 105
    Affected: S4COREOP 106
    Affected: S4COREOP 107
    Affected: S4COREOP 108
        cpe:2.3:a:sap_se:sap_pdce:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:sap_se:sap_pdce:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "sap_pdce",
                "vendor": "sap_se",
                "versions": [
                  {
                    "status": "affected",
                    "version": "S4CORE 102"
                  },
                  {
                    "status": "affected",
                    "version": "S4CORE 103"
                  },
                  {
                    "status": "affected",
                    "version": "S4COREOP 104"
                  },
                  {
                    "status": "affected",
                    "version": "S4COREOP 105"
                  },
                  {
                    "status": "affected",
                    "version": "S4COREOP 106"
                  },
                  {
                    "status": "affected",
                    "version": "S4COREOP 107"
                  },
                  {
                    "status": "affected",
                    "version": "S4COREOP 108"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-39592",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-24T18:22:20.617499Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-24T18:33:09.047Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T04:26:15.969Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://url.sap/sapsecuritypatchday"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://me.sap.com/notes/3483344"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "SAP PDCE",
              "vendor": "SAP_SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "S4CORE 102"
                },
                {
                  "status": "affected",
                  "version": "S4CORE 103"
                },
                {
                  "status": "affected",
                  "version": "S4COREOP 104"
                },
                {
                  "status": "affected",
                  "version": "S4COREOP 105"
                },
                {
                  "status": "affected",
                  "version": "S4COREOP 106"
                },
                {
                  "status": "affected",
                  "version": "S4COREOP 107"
                },
                {
                  "status": "affected",
                  "version": "S4COREOP 108"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eElements of PDCE does not perform necessary\nauthorization checks for an authenticated user, resulting in escalation of\nprivileges.\u003c/p\u003e\n\nThis\nallows an attacker to read sensitive information causing high impact on the\nconfidentiality of the application.\n\n\n\n"
                }
              ],
              "value": "Elements of PDCE does not perform necessary\nauthorization checks for an authenticated user, resulting in escalation of\nprivileges.\n\n\n\nThis\nallows an attacker to read sensitive information causing high impact on the\nconfidentiality of the application."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-09T03:45:56.018Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "url": "https://url.sap/sapsecuritypatchday"
            },
            {
              "url": "https://me.sap.com/notes/3483344"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "[CVE-2024-39592] Missing Authorization check in SAP PDCE",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2024-39592",
        "datePublished": "2024-07-09T03:45:56.018Z",
        "dateReserved": "2024-06-26T09:58:24.095Z",
        "dateUpdated": "2024-08-02T04:26:15.969Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-40625 (GCVE-0-2023-40625)

    Vulnerability from cvelistv5 – Published: 2023-09-12 02:00 – Updated: 2024-09-25 15:28
    VLAI
    Title
    Missing Authorization check in SAP Manage Purchase Contracts App
    Summary
    S4CORE (Manage Purchase Contracts App) - versions 102, 103, 104, 105, 106, 107, does not perform necessary authorization checks for an authenticated user. This could allow an attacker to perform unintended actions resulting in escalation of privileges which has low impact on confidentiality and integrity with no impact on availibility of the system.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    sap
    Impacted products
    Vendor Product Version
    SAP_SE SAP Manage Purchase Contracts App Affected: S4CORE 102
    Affected: S4CORE 103
    Affected: S4CORE 104
    Affected: S4CORE 105
    Affected: S4CORE 106
    Affected: S4CORE 107
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T18:38:51.007Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://me.sap.com/notes/3326361"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-40625",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-25T15:06:14.215597Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-25T15:28:24.390Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "SAP Manage Purchase Contracts App",
              "vendor": "SAP_SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "S4CORE 102"
                },
                {
                  "status": "affected",
                  "version": "S4CORE 103"
                },
                {
                  "status": "affected",
                  "version": "S4CORE 104"
                },
                {
                  "status": "affected",
                  "version": "S4CORE 105"
                },
                {
                  "status": "affected",
                  "version": "S4CORE 106"
                },
                {
                  "status": "affected",
                  "version": "S4CORE 107"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eS4CORE (Manage Purchase Contracts App) - versions 102, 103, 104, 105, 106, 107, does not perform necessary authorization checks for an authenticated user. This could allow an attacker to perform unintended actions resulting in escalation of privileges which has low impact on confidentiality and integrity with no impact on availibility of the system.\u003c/p\u003e"
                }
              ],
              "value": "S4CORE (Manage Purchase Contracts App) - versions 102, 103, 104, 105, 106, 107, does not perform necessary authorization checks for an authenticated user. This could allow an attacker to perform unintended actions resulting in escalation of privileges which has low impact on confidentiality and integrity with no impact on availibility of the system.\n\n"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "eng",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-09-12T02:00:13.727Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "url": "https://me.sap.com/notes/3326361"
            },
            {
              "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Missing Authorization check in SAP Manage Purchase Contracts App",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2023-40625",
        "datePublished": "2023-09-12T02:00:13.727Z",
        "dateReserved": "2023-08-17T18:10:44.968Z",
        "dateUpdated": "2024-09-25T15:28:24.390Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-35870 (GCVE-0-2023-35870)

    Vulnerability from cvelistv5 – Published: 2023-07-11 02:40 – Updated: 2024-10-29 13:43
    VLAI
    Title
    Improper Access Control in SAP S/4HANA (Manage Journal Entry Template)
    Summary
    When creating a journal entry template in SAP S/4HANA (Manage Journal Entry Template) - versions S4CORE 104, 105, 106, 107, an attacker could intercept the save request and change the template, leading to an impact on confidentiality and integrity of the resource. Furthermore, a standard template could be deleted, hence making the resource temporarily unavailable.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-732 - Incorrect Permission Assignment for Critical Resource
    Assigner
    sap
    Impacted products
    Vendor Product Version
    SAP_SE SAP S/4HANA (Manage Journal Entry Template) Affected: S4CORE 104
    Affected: 105
    Affected: 106
    Affected: 107
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T16:30:45.390Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://me.sap.com/notes/3341211"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-35870",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-25T18:38:35.831454Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-29T13:43:24.084Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "SAP S/4HANA (Manage Journal Entry Template)",
              "vendor": "SAP_SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "S4CORE 104"
                },
                {
                  "status": "affected",
                  "version": "105"
                },
                {
                  "status": "affected",
                  "version": "106"
                },
                {
                  "status": "affected",
                  "version": "107"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eWhen creating a journal entry template in SAP S/4HANA (Manage Journal Entry Template) - versions S4CORE 104, 105, 106, 107, an attacker could intercept the save request and change the template, leading to an impact on confidentiality and integrity of the resource. Furthermore, a standard template could be deleted, hence making the resource temporarily unavailable.\u003c/p\u003e"
                }
              ],
              "value": "When creating a journal entry template in SAP S/4HANA (Manage Journal Entry Template) - versions S4CORE 104, 105, 106, 107, an attacker could intercept the save request and change the template, leading to an impact on confidentiality and integrity of the resource. Furthermore, a standard template could be deleted, hence making the resource temporarily unavailable."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-732",
                  "description": "CWE-732: Incorrect Permission Assignment for Critical Resource",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-28T21:59:09.148Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "url": "https://me.sap.com/notes/3341211"
            },
            {
              "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Improper Access Control in SAP S/4HANA (Manage Journal Entry Template)",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2023-35870",
        "datePublished": "2023-07-11T02:40:26.084Z",
        "dateReserved": "2023-06-19T10:27:44.579Z",
        "dateUpdated": "2024-10-29T13:43:24.084Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-32112 (GCVE-0-2023-32112)

    Vulnerability from cvelistv5 – Published: 2023-05-09 01:42 – Updated: 2025-01-28 19:00
    VLAI
    Title
    Missing Authorization Check in Vendor Master Hierarchy
    Summary
    Vendor Master Hierarchy - versions SAP_APPL 500, SAP_APPL 600, SAP_APPL 602, SAP_APPL 603, SAP_APPL 604, SAP_APPL 605, SAP_APPL 606, SAP_APPL 616, SAP_APPL 617, SAP_APPL 618, S4CORE 100, does not perform necessary authorization checks for an authenticated user to access some of its function. This could lead to modification of data impacting the integrity of the system.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    sap
    Impacted products
    Vendor Product Version
    SAP_SE Vendor Master Hierarchy Affected: SAP_APPL 500
    Affected: SAP_APPL 600
    Affected: SAP_APPL 602
    Affected: SAP_APPL 603
    Affected: SAP_APPL 604
    Affected: SAP_APPL 605
    Affected: SAP_APPL 606
    Affected: SAP_APPL 616
    Affected: SAP_APPL 617
    Affected: SAP_APPL 618
    Affected: S4CORE 100
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T15:03:28.988Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://launchpad.support.sap.com/#/notes/2335198"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-32112",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-28T19:00:42.564406Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-28T19:00:52.594Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Vendor Master Hierarchy",
              "vendor": "SAP_SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "SAP_APPL 500"
                },
                {
                  "status": "affected",
                  "version": "SAP_APPL 600"
                },
                {
                  "status": "affected",
                  "version": "SAP_APPL 602"
                },
                {
                  "status": "affected",
                  "version": "SAP_APPL 603"
                },
                {
                  "status": "affected",
                  "version": "SAP_APPL 604"
                },
                {
                  "status": "affected",
                  "version": "SAP_APPL 605"
                },
                {
                  "status": "affected",
                  "version": "SAP_APPL 606"
                },
                {
                  "status": "affected",
                  "version": "SAP_APPL 616"
                },
                {
                  "status": "affected",
                  "version": "SAP_APPL 617"
                },
                {
                  "status": "affected",
                  "version": "SAP_APPL 618"
                },
                {
                  "status": "affected",
                  "version": "S4CORE 100"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eVendor Master Hierarchy - versions SAP_APPL 500, SAP_APPL 600, SAP_APPL 602, SAP_APPL 603, SAP_APPL 604, SAP_APPL 605, SAP_APPL 606, SAP_APPL 616, SAP_APPL 617, SAP_APPL 618, S4CORE 100, does not perform necessary authorization checks for an authenticated user to\u00a0access some of its function. This could lead to modification of data impacting the integrity of the system.\u003c/p\u003e"
                }
              ],
              "value": "Vendor Master Hierarchy - versions SAP_APPL 500, SAP_APPL 600, SAP_APPL 602, SAP_APPL 603, SAP_APPL 604, SAP_APPL 605, SAP_APPL 606, SAP_APPL 616, SAP_APPL 617, SAP_APPL 618, S4CORE 100, does not perform necessary authorization checks for an authenticated user to\u00a0access some of its function. This could lead to modification of data impacting the integrity of the system.\n\n"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 2.8,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "eng",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-05-09T01:46:29.784Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "url": "https://launchpad.support.sap.com/#/notes/2335198"
            },
            {
              "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Missing Authorization Check in Vendor Master Hierarchy",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2023-32112",
        "datePublished": "2023-05-09T01:42:23.289Z",
        "dateReserved": "2023-05-03T14:48:13.764Z",
        "dateUpdated": "2025-01-28T19:00:52.594Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-29110 (GCVE-0-2023-29110)

    Vulnerability from cvelistv5 – Published: 2023-04-11 03:00 – Updated: 2025-02-07 17:13
    VLAI
    Title
    Code Injection vulnerability in SAP Application Interface Framework (Message Dashboard)
    Summary
    The SAP Application Interface (Message Dashboard) - versions AIF 703, AIFX 702, S4CORE 100, 101, SAP_BASIS 755, 756, SAP_ABA 75C, 75D, 75E, application allows the usage HTML tags. An authorized attacker can use some of the basic HTML codes such as heading, basic formatting and lists, then an attacker can inject images from the foreign domains. After successful exploitations, an attacker can cause limited impact on the confidentiality and integrity of the application.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
    Assigner
    sap
    Impacted products
    Vendor Product Version
    SAP Application Interface Framework (Message Dashboard) Affected: AIF 703
    Affected: AIFX 702
    Affected: S4CORE 100
    Affected: S4CORE 101
    Affected: SAP_BASIS 755
    Affected: SAP_BASIS 756
    Affected: SAP_ABA 75C
    Affected: SAP_ABA 75D
    Affected: SAP_ABA 75E
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T14:00:15.878Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://launchpad.support.sap.com/#/notes/3113349"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-29110",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-07T17:13:12.939238Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-07T17:13:23.603Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Application Interface Framework (Message Dashboard)",
              "vendor": "SAP",
              "versions": [
                {
                  "status": "affected",
                  "version": "AIF 703"
                },
                {
                  "status": "affected",
                  "version": "AIFX 702"
                },
                {
                  "status": "affected",
                  "version": "S4CORE 100"
                },
                {
                  "status": "affected",
                  "version": "S4CORE 101"
                },
                {
                  "status": "affected",
                  "version": "SAP_BASIS 755"
                },
                {
                  "status": "affected",
                  "version": "SAP_BASIS 756"
                },
                {
                  "status": "affected",
                  "version": "SAP_ABA 75C"
                },
                {
                  "status": "affected",
                  "version": "SAP_ABA 75D"
                },
                {
                  "status": "affected",
                  "version": "SAP_ABA 75E"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eThe SAP Application Interface (Message Dashboard) - versions AIF 703, AIFX 702, S4CORE 100, 101, SAP_BASIS 755, 756, SAP_ABA 75C, 75D, 75E, application allows the usage HTML tags. An authorized attacker can use some of the basic HTML codes such as heading, basic formatting and lists, then an attacker can inject images from the foreign domains. After successful exploitations, an attacker can cause limited impact on the confidentiality and integrity of the application.\u003c/p\u003e"
                }
              ],
              "value": "The SAP Application Interface (Message Dashboard) - versions AIF 703, AIFX 702, S4CORE 100, 101, SAP_BASIS 755, 756, SAP_ABA 75C, 75D, 75E, application allows the usage HTML tags. An authorized attacker can use some of the basic HTML codes such as heading, basic formatting and lists, then an attacker can inject images from the foreign domains. After successful exploitations, an attacker can cause limited impact on the confidentiality and integrity of the application.\n\n"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.7,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-80",
                  "description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
                  "lang": "eng",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-04-11T20:17:48.094Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "url": "https://launchpad.support.sap.com/#/notes/3113349"
            },
            {
              "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Code Injection vulnerability in SAP Application Interface Framework (Message Dashboard)",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2023-29110",
        "datePublished": "2023-04-11T03:00:17.210Z",
        "dateReserved": "2023-03-31T10:01:53.360Z",
        "dateUpdated": "2025-02-07T17:13:23.603Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-29109 (GCVE-0-2023-29109)

    Vulnerability from cvelistv5 – Published: 2023-04-11 02:58 – Updated: 2025-02-07 16:52
    VLAI
    Title
    Code Injection vulnerability in SAP Application Interface Framework (Message Dashboard)
    Summary
    The SAP Application Interface Framework (Message Dashboard) - versions AIF 703, AIFX 702, S4CORE 101, SAP_BASIS 755, 756, SAP_ABA 75C, 75D, 75E, application allows an Excel formula injection. An authorized attacker can inject arbitrary Excel formulas into fields like the Tooltip of the Custom Hints List. Once the victim opens the downloaded Excel document, the formula will be executed. As a result, an attacker can cause limited impact on the confidentiality and integrity of the application.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1236 - Improper Neutralization of Formula Elements in a CSV File
    Assigner
    sap
    Impacted products
    Vendor Product Version
    SAP Application Interface Framework (Message Dashboard) Affected: AIF 703
    Affected: AIFX 702
    Affected: S4CORE 101
    Affected: SAP_BASIS 755
    Affected: SAP_BASIS 756
    Affected: SAP_ABA 75C
    Affected: SAP_ABA 75D
    Affected: SAP_ABA 75E
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T14:00:15.862Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://launchpad.support.sap.com/#/notes/3115598"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-29109",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-07T16:52:01.499322Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-07T16:52:14.949Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Application Interface Framework (Message Dashboard)",
              "vendor": "SAP",
              "versions": [
                {
                  "status": "affected",
                  "version": "AIF 703"
                },
                {
                  "status": "affected",
                  "version": "AIFX 702"
                },
                {
                  "status": "affected",
                  "version": "S4CORE 101"
                },
                {
                  "status": "affected",
                  "version": "SAP_BASIS 755"
                },
                {
                  "status": "affected",
                  "version": "SAP_BASIS 756"
                },
                {
                  "status": "affected",
                  "version": "SAP_ABA 75C"
                },
                {
                  "status": "affected",
                  "version": "SAP_ABA 75D"
                },
                {
                  "status": "affected",
                  "version": "SAP_ABA 75E"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eThe SAP Application Interface Framework (Message Dashboard) - versions AIF 703, AIFX 702, S4CORE 101, SAP_BASIS 755, 756, SAP_ABA 75C, 75D, 75E, application allows an Excel formula injection. An authorized attacker can inject arbitrary Excel formulas into fields like the Tooltip of the Custom Hints List. Once the victim opens the downloaded Excel document, the formula will be executed. As a result, an attacker can cause limited impact on the confidentiality and integrity of the application.\u003c/p\u003e"
                }
              ],
              "value": "The SAP Application Interface Framework (Message Dashboard) - versions AIF 703, AIFX 702, S4CORE 101, SAP_BASIS 755, 756, SAP_ABA 75C, 75D, 75E, application allows an Excel formula injection. An authorized attacker can inject arbitrary Excel formulas into fields like the Tooltip of the Custom Hints List. Once the victim opens the downloaded Excel document, the formula will be executed. As a result, an attacker can cause limited impact on the confidentiality and integrity of the application.\n\n"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1236",
                  "description": "CWE-1236: Improper Neutralization of Formula Elements in a CSV File",
                  "lang": "eng",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-04-11T20:17:39.130Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "url": "https://launchpad.support.sap.com/#/notes/3115598"
            },
            {
              "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Code Injection vulnerability in SAP Application Interface Framework (Message Dashboard)",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2023-29109",
        "datePublished": "2023-04-11T02:58:49.648Z",
        "dateReserved": "2023-03-31T10:01:53.360Z",
        "dateUpdated": "2025-02-07T16:52:14.949Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-33701 (GCVE-0-2021-33701)

    Vulnerability from cvelistv5 – Published: 2021-09-15 18:01 – Updated: 2024-08-03 23:58
    VLAI
    Summary
    DMIS Mobile Plug-In or SAP S/4HANA, versions - DMIS 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 710, 2011_1_731, 710, 2011_1_752, 2020, SAPSCORE 125, S4CORE 102, 102, 103, 104, 105, allows an attacker with access to highly privileged account to execute manipulated query in NDZT tool to gain access to Superuser account, leading to SQL Injection vulnerability, that highly impacts systems Confidentiality, Integrity and Availability.
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection�)
    Assigner
    sap
    Impacted products
    Vendor Product Version
    SAP SE DMIS Mobile Plug-In Affected: < DMIS 2011_1_620
    Affected: < 2011_1_640
    Affected: < 2011_1_700
    Affected: < 2011_1_710
    Affected: < 2011_1_730
    Affected: < 710
    Affected: < 2011_1_731
    Affected: < 2011_1_752
    Affected: < 2020
    Create a notification for this product.
    SAP SE SAP S/4HANA Affected: < SAPSCORE 125
    Affected: < S4CORE 102
    Affected: < 102
    Affected: < 103
    Affected: < 104
    Affected: < 105
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T23:58:22.494Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://launchpad.support.sap.com/#/notes/3078312"
              },
              {
                "name": "20211214 SEC Consult SA-20211214-1 :: Remote ABAP Code Injection in SAP Netweaver IUUC_RECON_RC_COUNT_TABLE_BIG",
                "tags": [
                  "mailing-list",
                  "x_refsource_FULLDISC",
                  "x_transferred"
                ],
                "url": "http://seclists.org/fulldisclosure/2021/Dec/36"
              },
              {
                "name": "20211214 SEC Consult SA-20211214-0 :: Remote ADBC SQL Injection in SAP Netweaver IUUC_RECON_RC_COUNT_TABLE_BIG",
                "tags": [
                  "mailing-list",
                  "x_refsource_FULLDISC",
                  "x_transferred"
                ],
                "url": "http://seclists.org/fulldisclosure/2021/Dec/35"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "http://packetstormsecurity.com/files/165303/SAP-Netweaver-IUUC_RECON_RC_COUNT_TABLE_BIG-SQL-Injection.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "http://packetstormsecurity.com/files/165304/SAP-Netweaver-IUUC_RECON_RC_COUNT_TABLE_BIG-ABAP-Code-Injection.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "DMIS Mobile Plug-In",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c DMIS 2011_1_620"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2011_1_640"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2011_1_700"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2011_1_710"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2011_1_730"
                },
                {
                  "status": "affected",
                  "version": "\u003c 710"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2011_1_731"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2011_1_752"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2020"
                }
              ]
            },
            {
              "product": "SAP S/4HANA",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c SAPSCORE 125"
                },
                {
                  "status": "affected",
                  "version": "\u003c S4CORE 102"
                },
                {
                  "status": "affected",
                  "version": "\u003c 102"
                },
                {
                  "status": "affected",
                  "version": "\u003c 103"
                },
                {
                  "status": "affected",
                  "version": "\u003c 104"
                },
                {
                  "status": "affected",
                  "version": "\u003c 105"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "DMIS Mobile Plug-In or SAP S/4HANA, versions - DMIS 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 710, 2011_1_731, 710, 2011_1_752, 2020, SAPSCORE 125, S4CORE 102, 102, 103, 104, 105, allows an attacker with access to highly privileged account to execute manipulated query in NDZT tool to gain access to Superuser account, leading to SQL Injection vulnerability, that highly impacts systems Confidentiality, Integrity and Availability."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\ufffd)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-12-15T17:06:24.000Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://launchpad.support.sap.com/#/notes/3078312"
            },
            {
              "name": "20211214 SEC Consult SA-20211214-1 :: Remote ABAP Code Injection in SAP Netweaver IUUC_RECON_RC_COUNT_TABLE_BIG",
              "tags": [
                "mailing-list",
                "x_refsource_FULLDISC"
              ],
              "url": "http://seclists.org/fulldisclosure/2021/Dec/36"
            },
            {
              "name": "20211214 SEC Consult SA-20211214-0 :: Remote ADBC SQL Injection in SAP Netweaver IUUC_RECON_RC_COUNT_TABLE_BIG",
              "tags": [
                "mailing-list",
                "x_refsource_FULLDISC"
              ],
              "url": "http://seclists.org/fulldisclosure/2021/Dec/35"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "http://packetstormsecurity.com/files/165303/SAP-Netweaver-IUUC_RECON_RC_COUNT_TABLE_BIG-SQL-Injection.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "http://packetstormsecurity.com/files/165304/SAP-Netweaver-IUUC_RECON_RC_COUNT_TABLE_BIG-ABAP-Code-Injection.html"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cna@sap.com",
              "ID": "CVE-2021-33701",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "DMIS Mobile Plug-In",
                          "version": {
                            "version_data": [
                              {
                                "version_name": "\u003c",
                                "version_value": "DMIS 2011_1_620"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "2011_1_640"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "2011_1_700"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "2011_1_710"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "2011_1_730"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "710"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "2011_1_731"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "710"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "2011_1_752"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "2020"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "SAP S/4HANA",
                          "version": {
                            "version_data": [
                              {
                                "version_name": "\u003c",
                                "version_value": "SAPSCORE 125"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "S4CORE 102"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "102"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "103"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "104"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "105"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "SAP SE"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "DMIS Mobile Plug-In or SAP S/4HANA, versions - DMIS 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 710, 2011_1_731, 710, 2011_1_752, 2020, SAPSCORE 125, S4CORE 102, 102, 103, 104, 105, allows an attacker with access to highly privileged account to execute manipulated query in NDZT tool to gain access to Superuser account, leading to SQL Injection vulnerability, that highly impacts systems Confidentiality, Integrity and Availability."
                }
              ]
            },
            "impact": {
              "cvss": {
                "baseScore": "9.1",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\ufffd)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806",
                  "refsource": "MISC",
                  "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806"
                },
                {
                  "name": "https://launchpad.support.sap.com/#/notes/3078312",
                  "refsource": "MISC",
                  "url": "https://launchpad.support.sap.com/#/notes/3078312"
                },
                {
                  "name": "20211214 SEC Consult SA-20211214-1 :: Remote ABAP Code Injection in SAP Netweaver IUUC_RECON_RC_COUNT_TABLE_BIG",
                  "refsource": "FULLDISC",
                  "url": "http://seclists.org/fulldisclosure/2021/Dec/36"
                },
                {
                  "name": "20211214 SEC Consult SA-20211214-0 :: Remote ADBC SQL Injection in SAP Netweaver IUUC_RECON_RC_COUNT_TABLE_BIG",
                  "refsource": "FULLDISC",
                  "url": "http://seclists.org/fulldisclosure/2021/Dec/35"
                },
                {
                  "name": "http://packetstormsecurity.com/files/165303/SAP-Netweaver-IUUC_RECON_RC_COUNT_TABLE_BIG-SQL-Injection.html",
                  "refsource": "MISC",
                  "url": "http://packetstormsecurity.com/files/165303/SAP-Netweaver-IUUC_RECON_RC_COUNT_TABLE_BIG-SQL-Injection.html"
                },
                {
                  "name": "http://packetstormsecurity.com/files/165304/SAP-Netweaver-IUUC_RECON_RC_COUNT_TABLE_BIG-ABAP-Code-Injection.html",
                  "refsource": "MISC",
                  "url": "http://packetstormsecurity.com/files/165304/SAP-Netweaver-IUUC_RECON_RC_COUNT_TABLE_BIG-ABAP-Code-Injection.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2021-33701",
        "datePublished": "2021-09-15T18:01:55.000Z",
        "dateReserved": "2021-05-28T00:00:00.000Z",
        "dateUpdated": "2024-08-03T23:58:22.494Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-2484 (GCVE-0-2018-2484)

    Vulnerability from cvelistv5 – Published: 2019-01-08 20:00 – Updated: 2024-08-05 04:21
    VLAI
    Summary
    SAP Enterprise Financial Services (fixed in SAPSCORE 1.13, 1.14, 1.15; S4CORE 1.01, 1.02, 1.03; EA-FINSERV 1.10, 2.0, 5.0, 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0; Bank/CFM 4.63_20) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.
    Severity
    No CVSS data available.
    CWE
    • Missing Authorization Check
    Assigner
    sap
    References
    Impacted products
    Vendor Product Version
    SAP SE SAP Enterprise Financial Services (SAPSCORE) Affected: < 1.13
    Affected: < 1.14
    Affected: < 1.15
    Create a notification for this product.
    SAP SE SAP Enterprise Financial Services (S4CORE) Affected: < 1.01
    Affected: < 1.02
    Affected: < 1.03
    Create a notification for this product.
    SAP SE SAP Enterprise Financial Services (EA-FINSERV) Affected: < 1.10
    Affected: < 2.0
    Affected: < 5.0
    Affected: < 6.0
    Affected: < 6.03
    Affected: < 6.04
    Affected: < 6.05
    Affected: < 6.06
    Affected: < 6.16
    Affected: < 6.17
    Affected: < 6.18
    Affected: < 8.0
    Create a notification for this product.
    SAP SE SAP Enterprise Financial Services (Bank/CFM) Affected: < 4.63_20
    Create a notification for this product.
    Date Public
    2019-01-08 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T04:21:33.945Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://launchpad.support.sap.com/#/notes/2662687"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985"
              },
              {
                "name": "106477",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/106477"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SAP Enterprise Financial Services (SAPSCORE)",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.13"
                },
                {
                  "status": "affected",
                  "version": "\u003c 1.14"
                },
                {
                  "status": "affected",
                  "version": "\u003c 1.15"
                }
              ]
            },
            {
              "product": "SAP Enterprise Financial Services (S4CORE)",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.01"
                },
                {
                  "status": "affected",
                  "version": "\u003c 1.02"
                },
                {
                  "status": "affected",
                  "version": "\u003c 1.03"
                }
              ]
            },
            {
              "product": "SAP Enterprise Financial Services (EA-FINSERV)",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.10"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2.0"
                },
                {
                  "status": "affected",
                  "version": "\u003c 5.0"
                },
                {
                  "status": "affected",
                  "version": "\u003c 6.0"
                },
                {
                  "status": "affected",
                  "version": "\u003c 6.03"
                },
                {
                  "status": "affected",
                  "version": "\u003c 6.04"
                },
                {
                  "status": "affected",
                  "version": "\u003c 6.05"
                },
                {
                  "status": "affected",
                  "version": "\u003c 6.06"
                },
                {
                  "status": "affected",
                  "version": "\u003c 6.16"
                },
                {
                  "status": "affected",
                  "version": "\u003c 6.17"
                },
                {
                  "status": "affected",
                  "version": "\u003c 6.18"
                },
                {
                  "status": "affected",
                  "version": "\u003c 8.0"
                }
              ]
            },
            {
              "product": "SAP Enterprise Financial Services (Bank/CFM)",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 4.63_20"
                }
              ]
            }
          ],
          "datePublic": "2019-01-08T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "SAP Enterprise Financial Services (fixed in SAPSCORE 1.13, 1.14, 1.15; S4CORE 1.01, 1.02, 1.03; EA-FINSERV 1.10, 2.0, 5.0, 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0; Bank/CFM 4.63_20) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Missing Authorization Check",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-01-09T10:57:01.000Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://launchpad.support.sap.com/#/notes/2662687"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985"
            },
            {
              "name": "106477",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/106477"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cna@sap.com",
              "ID": "CVE-2018-2484",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SAP Enterprise Financial Services (SAPSCORE)",
                          "version": {
                            "version_data": [
                              {
                                "version_name": "\u003c",
                                "version_value": "1.13"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "1.14"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "1.15"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "SAP Enterprise Financial Services (S4CORE)",
                          "version": {
                            "version_data": [
                              {
                                "version_name": "\u003c",
                                "version_value": "1.01"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "1.02"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "1.03"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "SAP Enterprise Financial Services (EA-FINSERV)",
                          "version": {
                            "version_data": [
                              {
                                "version_name": "\u003c",
                                "version_value": "1.10"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "2.0"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "5.0"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "6.0"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "6.03"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "6.04"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "6.05"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "6.06"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "6.16"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "6.17"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "6.18"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "8.0"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "SAP Enterprise Financial Services (Bank/CFM)",
                          "version": {
                            "version_data": [
                              {
                                "version_name": "\u003c",
                                "version_value": "4.63_20"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "SAP SE"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "SAP Enterprise Financial Services (fixed in SAPSCORE 1.13, 1.14, 1.15; S4CORE 1.01, 1.02, 1.03; EA-FINSERV 1.10, 2.0, 5.0, 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0; Bank/CFM 4.63_20) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Missing Authorization Check"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://launchpad.support.sap.com/#/notes/2662687",
                  "refsource": "MISC",
                  "url": "https://launchpad.support.sap.com/#/notes/2662687"
                },
                {
                  "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985",
                  "refsource": "MISC",
                  "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985"
                },
                {
                  "name": "106477",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/106477"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2018-2484",
        "datePublished": "2019-01-08T20:00:00.000Z",
        "dateReserved": "2017-12-15T00:00:00.000Z",
        "dateUpdated": "2024-08-05T04:21:33.945Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-2419 (GCVE-0-2018-2419)

    Vulnerability from cvelistv5 – Published: 2018-05-09 20:00 – Updated: 2024-08-05 04:21
    VLAI
    Summary
    SAP Enterprise Financial Services (SAPSCORE 1.11, 1.12; S4CORE 1.01, 1.02; EA-FINSERV 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.
    CWE
    • Missing Authorization Check
    Assigner
    sap
    References
    Impacted products
    Vendor Product Version
    SAP SE SAP Enterprise Financial Services (SAPSCORE) Affected: 1.11
    Affected: 1.12
    Create a notification for this product.
    SAP SE SAP Enterprise Financial Services (S4CORE) Affected: 1.01
    Affected: 1.02
    Create a notification for this product.
    SAP SE SAP Enterprise Financial Services (EA-FINSERV) Affected: 6.04
    Affected: 6.05
    Affected: 6.06
    Affected: 6.16
    Affected: 6.17
    Affected: 6.18
    Affected: 8.0
    Create a notification for this product.
    Date Public
    2018-05-09 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T04:21:33.627Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://blogs.sap.com/2018/05/08/sap-security-patch-day-may-2018/"
              },
              {
                "name": "104116",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/104116"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://launchpad.support.sap.com/#/notes/2596627"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SAP Enterprise Financial Services (SAPSCORE)",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.11"
                },
                {
                  "status": "affected",
                  "version": "1.12"
                }
              ]
            },
            {
              "product": "SAP Enterprise Financial Services (S4CORE)",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.01"
                },
                {
                  "status": "affected",
                  "version": "1.02"
                }
              ]
            },
            {
              "product": "SAP Enterprise Financial Services (EA-FINSERV)",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "6.04"
                },
                {
                  "status": "affected",
                  "version": "6.05"
                },
                {
                  "status": "affected",
                  "version": "6.06"
                },
                {
                  "status": "affected",
                  "version": "6.16"
                },
                {
                  "status": "affected",
                  "version": "6.17"
                },
                {
                  "status": "affected",
                  "version": "6.18"
                },
                {
                  "status": "affected",
                  "version": "8.0"
                }
              ]
            }
          ],
          "datePublic": "2018-05-09T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "SAP Enterprise Financial Services (SAPSCORE 1.11, 1.12; S4CORE 1.01, 1.02; EA-FINSERV 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.7,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Missing Authorization Check",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-05-10T09:57:01.000Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://blogs.sap.com/2018/05/08/sap-security-patch-day-may-2018/"
            },
            {
              "name": "104116",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/104116"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://launchpad.support.sap.com/#/notes/2596627"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cna@sap.com",
              "ID": "CVE-2018-2419",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SAP Enterprise Financial Services (SAPSCORE)",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "1.11"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "1.12"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "SAP Enterprise Financial Services (S4CORE)",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "1.01"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "1.02"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "SAP Enterprise Financial Services (EA-FINSERV)",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "6.04"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "6.05"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "6.06"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "6.16"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "6.17"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "6.18"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "8.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "SAP SE"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "SAP Enterprise Financial Services (SAPSCORE 1.11, 1.12; S4CORE 1.01, 1.02; EA-FINSERV 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.7,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Missing Authorization Check"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://blogs.sap.com/2018/05/08/sap-security-patch-day-may-2018/",
                  "refsource": "CONFIRM",
                  "url": "https://blogs.sap.com/2018/05/08/sap-security-patch-day-may-2018/"
                },
                {
                  "name": "104116",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/104116"
                },
                {
                  "name": "https://launchpad.support.sap.com/#/notes/2596627",
                  "refsource": "MISC",
                  "url": "https://launchpad.support.sap.com/#/notes/2596627"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2018-2419",
        "datePublished": "2018-05-09T20:00:00.000Z",
        "dateReserved": "2017-12-15T00:00:00.000Z",
        "dateUpdated": "2024-08-05T04:21:33.627Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }