Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2024-22126 (GCVE-0-2024-22126)
Vulnerability from cvelistv5
Published
2024-02-13 01:58
Modified
2025-02-11 04:13
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
The User Admin application of SAP NetWeaver AS for Java - version 7.50, insufficiently validates and improperly encodes the incoming URL parameters before including them into the redirect URL. This results in Cross-Site Scripting (XSS) vulnerability, leading to a high impact on confidentiality and mild impact on integrity and availability.
References
| URL | Tags | ||
|---|---|---|---|
|
|
|||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP NetWeaver AS Java (User Admin Application) |
Version: 7.50 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-22126",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-09T16:21:27.522736Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-09T16:21:33.204Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:35:34.804Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://me.sap.com/notes/3417627"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP NetWeaver AS Java (User Admin Application)",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "7.50"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe User Admin application of SAP NetWeaver AS for Java - version 7.50, insufficiently validates and improperly encodes\u00a0the incoming URL parameters before including them into the redirect URL. This results in Cross-Site Scripting (XSS) vulnerability, leading to a high impact on confidentiality and mild impact on integrity and availability.\u003c/p\u003e"
}
],
"value": "The User Admin application of SAP NetWeaver AS for Java - version 7.50, insufficiently validates and improperly encodes\u00a0the incoming URL parameters before including them into the redirect URL. This results in Cross-Site Scripting (XSS) vulnerability, leading to a high impact on confidentiality and mild impact on integrity and availability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-11T04:13:01.325Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3417627"
},
{
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
},
{
"url": "https://me.sap.com/notes/3557138"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Cross Site Scripting vulnerability in SAP NetWeaver AS Java (User Admin Application)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2024-22126",
"datePublished": "2024-02-13T01:58:27.745Z",
"dateReserved": "2024-01-05T10:21:35.256Z",
"dateUpdated": "2025-02-11T04:13:01.325Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2024-22126\",\"sourceIdentifier\":\"cna@sap.com\",\"published\":\"2024-02-13T02:15:08.107\",\"lastModified\":\"2025-02-11T05:15:13.300\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The User Admin application of SAP NetWeaver AS for Java - version 7.50, insufficiently validates and improperly encodes\u00a0the incoming URL parameters before including them into the redirect URL. This results in Cross-Site Scripting (XSS) vulnerability, leading to a high impact on confidentiality and mild impact on integrity and availability.\"},{\"lang\":\"es\",\"value\":\"La aplicaci\u00f3n User Admin de SAP NetWeaver AS para Java, versi\u00f3n 7.50, no valida lo suficiente y codifica incorrectamente los par\u00e1metros de la URL entrante antes de incluirlos en la URL de redireccionamiento. Esto da como resultado una vulnerabilidad de Cross-Site Scripting (XSS), lo que genera un alto impacto en la confidencialidad y un impacto leve en la integridad y la disponibilidad.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cna@sap.com\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7},{\"source\":\"nvd@nist.gov\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":5.3}]},\"weaknesses\":[{\"source\":\"cna@sap.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_application_server_java:7.50:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9C506445-3787-4BFF-A98B-7502A0F7CF80\"}]}]}],\"references\":[{\"url\":\"https://me.sap.com/notes/3417627\",\"source\":\"cna@sap.com\",\"tags\":[\"Permissions Required\"]},{\"url\":\"https://me.sap.com/notes/3557138\",\"source\":\"cna@sap.com\"},{\"url\":\"https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html\",\"source\":\"cna@sap.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://me.sap.com/notes/3417627\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Permissions Required\"]},{\"url\":\"https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://me.sap.com/notes/3417627\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-01T22:35:34.804Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-22126\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-07-09T16:21:27.522736Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-07-09T16:21:30.930Z\"}}], \"cna\": {\"title\": \"Cross Site Scripting vulnerability in SAP NetWeaver AS Java (User Admin Application)\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 6.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"SAP_SE\", \"product\": \"SAP NetWeaver AS Java (User Admin Application)\", \"versions\": [{\"status\": \"affected\", \"version\": \"7.50\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://me.sap.com/notes/3417627\"}, {\"url\": \"https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html\"}, {\"url\": \"https://me.sap.com/notes/3557138\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"The User Admin application of SAP NetWeaver AS for Java - version 7.50, insufficiently validates and improperly encodes\\u00a0the incoming URL parameters before including them into the redirect URL. This results in Cross-Site Scripting (XSS) vulnerability, leading to a high impact on confidentiality and mild impact on integrity and availability.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eThe User Admin application of SAP NetWeaver AS for Java - version 7.50, insufficiently validates and improperly encodes\\u00a0the incoming URL parameters before including them into the redirect URL. This results in Cross-Site Scripting (XSS) vulnerability, leading to a high impact on confidentiality and mild impact on integrity and availability.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"eng\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"e4686d1a-f260-4930-ac4c-2f5c992778dd\", \"shortName\": \"sap\", \"dateUpdated\": \"2025-02-11T04:13:01.325Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-22126\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-11T04:13:01.325Z\", \"dateReserved\": \"2024-01-05T10:21:35.256Z\", \"assignerOrgId\": \"e4686d1a-f260-4930-ac4c-2f5c992778dd\", \"datePublished\": \"2024-02-13T01:58:27.745Z\", \"assignerShortName\": \"sap\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
gsd-2024-22126
Vulnerability from gsd
Modified
2024-01-06 06:02
Details
The User Admin application of SAP NetWeaver AS for Java - version 7.50, insufficiently validates and improperly encodes the incoming URL parameters before including them into the redirect URL. This results in Cross-Site Scripting (XSS) vulnerability, leading to a high impact on confidentiality and mild impact on integrity and availability.
Aliases
{
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2024-22126"
],
"details": "The User Admin application of SAP NetWeaver AS for Java - version 7.50, insufficiently validates and improperly encodes\u00a0the incoming URL parameters before including them into the redirect URL. This results in Cross-Site Scripting (XSS) vulnerability, leading to a high impact on confidentiality and mild impact on integrity and availability.\n\n",
"id": "GSD-2024-22126",
"modified": "2024-01-06T06:02:13.736518Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2024-22126",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP NetWeaver AS Java (User Admin Application)",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "7.50"
}
]
}
}
]
},
"vendor_name": "SAP_SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The User Admin application of SAP NetWeaver AS for Java - version 7.50, insufficiently validates and improperly encodes\u00a0the incoming URL parameters before including them into the redirect URL. This results in Cross-Site Scripting (XSS) vulnerability, leading to a high impact on confidentiality and mild impact on integrity and availability.\n\n"
}
]
},
"generator": {
"engine": "Vulnogram 0.1.0-dev"
},
"impact": {
"cvss": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L",
"version": "3.1"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"cweId": "CWE-79",
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://me.sap.com/notes/3417627",
"refsource": "MISC",
"url": "https://me.sap.com/notes/3417627"
},
{
"name": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html",
"refsource": "MISC",
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
},
"nvd.nist.gov": {
"cve": {
"descriptions": [
{
"lang": "en",
"value": "The User Admin application of SAP NetWeaver AS for Java - version 7.50, insufficiently validates and improperly encodes\u00a0the incoming URL parameters before including them into the redirect URL. This results in Cross-Site Scripting (XSS) vulnerability, leading to a high impact on confidentiality and mild impact on integrity and availability.\n\n"
},
{
"lang": "es",
"value": "La aplicaci\u00f3n User Admin de SAP NetWeaver AS para Java, versi\u00f3n 7.50, no valida lo suficiente y codifica incorrectamente los par\u00e1metros de la URL entrante antes de incluirlos en la URL de redireccionamiento. Esto da como resultado una vulnerabilidad de Cross-Site Scripting (XSS), lo que genera un alto impacto en la confidencialidad y un impacto leve en la integridad y la disponibilidad."
}
],
"id": "CVE-2024-22126",
"lastModified": "2024-02-13T14:01:40.577",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.3,
"source": "cna@sap.com",
"type": "Secondary"
}
]
},
"published": "2024-02-13T02:15:08.107",
"references": [
{
"source": "cna@sap.com",
"url": "https://me.sap.com/notes/3417627"
},
{
"source": "cna@sap.com",
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "cna@sap.com",
"type": "Primary"
}
]
}
}
}
}
ghsa-r3c3-f9mx-3phh
Vulnerability from github
Published
2024-02-13 03:30
Modified
2025-02-11 06:30
Severity ?
VLAI Severity ?
Details
The User Admin application of SAP NetWeaver AS for Java - version 7.50, insufficiently validates and improperly encodes the incoming URL parameters before including them into the redirect URL. This results in Cross-Site Scripting (XSS) vulnerability, leading to a high impact on confidentiality and mild impact on integrity and availability.
{
"affected": [],
"aliases": [
"CVE-2024-22126"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-13T02:15:08Z",
"severity": "HIGH"
},
"details": "The User Admin application of SAP NetWeaver AS for Java - version 7.50, insufficiently validates and improperly encodes\u00a0the incoming URL parameters before including them into the redirect URL. This results in Cross-Site Scripting (XSS) vulnerability, leading to a high impact on confidentiality and mild impact on integrity and availability.",
"id": "GHSA-r3c3-f9mx-3phh",
"modified": "2025-02-11T06:30:24Z",
"published": "2024-02-13T03:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22126"
},
{
"type": "WEB",
"url": "https://me.sap.com/notes/3417627"
},
{
"type": "WEB",
"url": "https://me.sap.com/notes/3557138"
},
{
"type": "WEB",
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L",
"type": "CVSS_V3"
}
]
}
fkie_cve-2024-22126
Vulnerability from fkie_nvd
Published
2024-02-13 02:15
Modified
2025-02-11 05:15
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L
Summary
The User Admin application of SAP NetWeaver AS for Java - version 7.50, insufficiently validates and improperly encodes the incoming URL parameters before including them into the redirect URL. This results in Cross-Site Scripting (XSS) vulnerability, leading to a high impact on confidentiality and mild impact on integrity and availability.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | netweaver_application_server_java | 7.50 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:netweaver_application_server_java:7.50:*:*:*:*:*:*:*",
"matchCriteriaId": "9C506445-3787-4BFF-A98B-7502A0F7CF80",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The User Admin application of SAP NetWeaver AS for Java - version 7.50, insufficiently validates and improperly encodes\u00a0the incoming URL parameters before including them into the redirect URL. This results in Cross-Site Scripting (XSS) vulnerability, leading to a high impact on confidentiality and mild impact on integrity and availability."
},
{
"lang": "es",
"value": "La aplicaci\u00f3n User Admin de SAP NetWeaver AS para Java, versi\u00f3n 7.50, no valida lo suficiente y codifica incorrectamente los par\u00e1metros de la URL entrante antes de incluirlos en la URL de redireccionamiento. Esto da como resultado una vulnerabilidad de Cross-Site Scripting (XSS), lo que genera un alto impacto en la confidencialidad y un impacto leve en la integridad y la disponibilidad."
}
],
"id": "CVE-2024-22126",
"lastModified": "2025-02-11T05:15:13.300",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "cna@sap.com",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.3,
"source": "nvd@nist.gov",
"type": "Secondary"
}
]
},
"published": "2024-02-13T02:15:08.107",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Permissions Required"
],
"url": "https://me.sap.com/notes/3417627"
},
{
"source": "cna@sap.com",
"url": "https://me.sap.com/notes/3557138"
},
{
"source": "cna@sap.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required"
],
"url": "https://me.sap.com/notes/3417627"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "cna@sap.com",
"type": "Primary"
}
]
}
CERTFR-2025-AVI-0114
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans les produits SAP. Certaines d'entre elles permettent à un attaquant de provoquer une atteinte à la confidentialité des données, une atteinte à l'intégrité des données et une injection de code indirecte à distance (XSS).
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| SAP | N/A | HANA extended application services, advanced model (User Account and Authentication Services) version SAP_EXTENDED_APP_SERVICES 1 sans le dernier correctif de sécurité | ||
| SAP | N/A | Fiori for ERP versions SAP_GWFND 740, 750, 751, 752, 753, 754, 755, 756, 757 et 758 sans le dernier correctif de sécurité | ||
| SAP | N/A | BusinessObjects Platform (BI Launchpad) versions ENTERPRISE 430 et 2025 sans le dernier correctif de sécurité | ||
| SAP | N/A | NetWeaver and ABAP platform (ST-PI) versions ST-PI 2008_1_700, ST-PI 2008_1_710 et ST-PI 740 sans le dernier correctif de sécurité | ||
| SAP | N/A | NetWeaver Application Server Java version WD-RUNTIME 7.50 sans le dernier correctif de sécurité | ||
| SAP | N/A | Supplier Relationship Management (Master Data Management Catalog) version SRM_MDM_CAT 7.52 sans le dernier correctif de sécurité | ||
| SAP | N/A | Fiori Apps Reference Library (My Overtime Requests) version GBX01HR5 605 sans le dernier correctif de sécurité | ||
| SAP | N/A | Commerce (Backoffice) versions HY_COM 2205 et COM_CLOUD 2211 sans le dernier correctif de sécurité | ||
| SAP | N/A | BusinessObjects Business Intelligence platform (Central Management Console) versions ENTERPRISE 430 et 2025 sans le dernier correctif de sécurité | ||
| SAP | N/A | NetWeaver Application Server Java versions EP-BASIS 7.50 et FRAMEWORK-EXT 7.50 sans le dernier correctif de sécurité | ||
| SAP | N/A | NetWeaver and ABAP Platform (SDCCN) versions ST-PI 2008_1_700, ST-PI 2008_1_710 et ST-PI 740 sans le dernier correctif de sécurité | ||
| SAP | N/A | NetWeaver Server ABAP versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757 et SAP_BASIS 758 sans le dernier correctif de sécurité | ||
| SAP | N/A | NetWeaver AS Java for Deploy Service versions ENGINEAPI 7.50 et SERVERCORE 7.50 sans le dernier correctif de sécurité | ||
| SAP | N/A | Commerce versions HY_COM 2205 et COM_CLOUD 2211 sans le dernier correctif de sécurité | ||
| SAP | N/A | GUI for Windows version BC-FES-GUI 8.00 sans le dernier correctif de sécurité | ||
| SAP | N/A | Enterprise Project Connection version 3.0 sans le dernier correctif de sécurité | ||
| SAP | N/A | ABAP Platform (ABAP Build Framework) versions SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757 et SAP_BASIS 758 sans le dernier correctif de sécurité | ||
| SAP | N/A | NetWeaver AS Java (User Admin Application) version 7.50 sans le dernier correctif de sécurité |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "HANA extended application services, advanced model (User Account and Authentication Services) version SAP_EXTENDED_APP_SERVICES 1 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Fiori for ERP versions SAP_GWFND 740, 750, 751, 752, 753, 754, 755, 756, 757 et 758 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "BusinessObjects Platform (BI Launchpad) versions ENTERPRISE 430 et 2025 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver and ABAP platform (ST-PI) versions ST-PI 2008_1_700, ST-PI 2008_1_710 et ST-PI 740 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver Application Server Java version WD-RUNTIME 7.50 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Supplier Relationship Management (Master Data Management Catalog) version SRM_MDM_CAT 7.52 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Fiori Apps Reference Library (My Overtime Requests) version GBX01HR5 605 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Commerce (Backoffice) versions HY_COM 2205 et COM_CLOUD 2211 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "BusinessObjects Business Intelligence platform (Central Management Console) versions ENTERPRISE 430 et 2025 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver Application Server Java versions EP-BASIS 7.50 et FRAMEWORK-EXT 7.50 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver and ABAP Platform (SDCCN) versions ST-PI 2008_1_700, ST-PI 2008_1_710 et ST-PI 740 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver Server ABAP versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757 et SAP_BASIS 758 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver AS Java for Deploy Service versions ENGINEAPI 7.50 et SERVERCORE 7.50 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Commerce versions HY_COM 2205 et COM_CLOUD 2211 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "GUI for Windows version BC-FES-GUI 8.00 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Enterprise Project Connection version 3.0 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "ABAP Platform (ABAP Build Framework) versions SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757 et SAP_BASIS 758 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver AS Java (User Admin Application) version 7.50 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-24874",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-24874"
},
{
"name": "CVE-2025-24875",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-24875"
},
{
"name": "CVE-2025-23191",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-23191"
},
{
"name": "CVE-2023-24527",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-24527"
},
{
"name": "CVE-2025-0064",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-0064"
},
{
"name": "CVE-2024-38819",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38819"
},
{
"name": "CVE-2024-38820",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38820"
},
{
"name": "CVE-2025-23189",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-23189"
},
{
"name": "CVE-2025-23193",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-23193"
},
{
"name": "CVE-2025-23187",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-23187"
},
{
"name": "CVE-2025-24870",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-24870"
},
{
"name": "CVE-2025-25241",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-25241"
},
{
"name": "CVE-2024-45216",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-45216"
},
{
"name": "CVE-2025-24876",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-24876"
},
{
"name": "CVE-2025-23190",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-23190"
},
{
"name": "CVE-2024-22126",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22126"
},
{
"name": "CVE-2025-25243",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-25243"
},
{
"name": "CVE-2024-45217",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-45217"
},
{
"name": "CVE-2025-0054",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-0054"
},
{
"name": "CVE-2024-38828",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38828"
},
{
"name": "CVE-2025-24867",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-24867"
},
{
"name": "CVE-2025-24868",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-24868"
},
{
"name": "CVE-2025-24869",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-24869"
},
{
"name": "CVE-2025-24872",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-24872"
}
],
"initial_release_date": "2025-02-11T00:00:00",
"last_revision_date": "2025-02-11T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-0114",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-02-11T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits SAP. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es, une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es et une injection de code indirecte \u00e0 distance (XSS).",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits SAP",
"vendor_advisories": [
{
"published_at": "2025-02-10",
"title": "Bulletin de s\u00e9curit\u00e9 SAP february-2025",
"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news/february-2025.html"
}
]
}
CERTFR-2024-AVI-0125
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans SAP. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une atteinte à la confidentialité des données et une élévation de privilèges.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| SAP | N/A | SAP Master Data Governance versions MDG_FND 731, MDG_FND 732, MDG_FND 746, MDG_FND 747, MDG_FND 748, MDG_FND 749, MDG_FND 752, MDG_FND 800, MDG_FND 802, MDG_FND 803, MDG_FND 804, MDG_FND 805, MDG_FND 806, MDG_FND 807, MDG_FND 808 et SAP_BS_FND 702 | ||
| SAP | N/A | SAP NWBC for HTML versions SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702 et SAP_BASIS 731 | ||
| SAP | N/A | SAP CRM (WebClient UI) versions S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, WEBCUIF 701, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800 et WEBCUIF 801 | ||
| SAP | SAP NetWeaver AS Java | SAP NetWeaver AS Java (Guided Procedures) version 7.50 | ||
| SAP | N/A | SAP Master Data Governance Material versions 618, 619, 620, 621, 622, 800, 801, 802, 803 et 804 | ||
| SAP | N/A | SAP NetWeaver Application Server ABAP (SAP Kernel) versions KERNEL 7.53, KERNEL 7.54, KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.93, KERNEL 7.94 et KRNL64UC 7.53 | ||
| SAP | N/A | SAP Business Client versions 6.5, 7.0 et 7.70 | ||
| SAP | SAP NetWeaver AS Java | SAP NetWeaver AS Java (User Admin Application) version 7.50 | ||
| SAP | N/A | SAP Cloud Connector version 2.0 | ||
| SAP | N/A | SAP Fiori app ("My Overtime Requests") versions 605 | ||
| SAP | N/A | IDES Systems toutes versions | ||
| SAP | N/A | SAP ABA (Application Basis) versions 700, 701, 702, 731, 740, 750, 751, 752, 75C et 75I | ||
| SAP | N/A | SAP GUI pour Windows et SAP GUI pour Java versions SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757 et SAP_BASIS 758 | ||
| SAP | N/A | BAM (Bank Account Management) versions SAP_FIN 618, SAP_FIN 730, S4CORE 100 et 101 | ||
| SAP | N/A | SAP Companion versions antérieures à 3.1.38 | ||
| SAP | SAP CRM WebClient UI | SAP CRM WebClient UI versions S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, S4FND 107, S4FND 108, WEBCUIF 700, WEBCUIF 701, WEBCUIF 730, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800 et WEBCUIF 801 |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "SAP Master Data Governance versions MDG_FND 731, MDG_FND 732, MDG_FND 746, MDG_FND 747, MDG_FND 748, MDG_FND 749, MDG_FND 752, MDG_FND 800, MDG_FND 802, MDG_FND 803, MDG_FND 804, MDG_FND 805, MDG_FND 806, MDG_FND 807, MDG_FND 808 et SAP_BS_FND 702",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "SAP NWBC for HTML versions SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702 et SAP_BASIS 731",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "SAP CRM (WebClient UI) versions S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, WEBCUIF 701, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800 et WEBCUIF 801",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "SAP NetWeaver AS Java (Guided Procedures) version 7.50",
"product": {
"name": "SAP NetWeaver AS Java",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "SAP Master Data Governance Material versions 618, 619, 620, 621, 622, 800, 801, 802, 803 et 804",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "SAP NetWeaver Application Server ABAP (SAP Kernel) versions KERNEL 7.53, KERNEL 7.54, KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.93, KERNEL 7.94 et KRNL64UC 7.53",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "SAP Business Client versions 6.5, 7.0 et 7.70",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "SAP NetWeaver AS Java (User Admin Application) version 7.50",
"product": {
"name": "SAP NetWeaver AS Java",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "SAP Cloud Connector version 2.0",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "SAP Fiori app (\"My Overtime Requests\") versions 605",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "IDES Systems toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "SAP ABA (Application Basis) versions 700, 701, 702, 731, 740, 750, 751, 752, 75C et 75I",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "SAP GUI pour Windows et SAP GUI pour Java versions SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757 et SAP_BASIS 758",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "BAM (Bank Account Management) versions SAP_FIN 618, SAP_FIN 730, S4CORE 100 et 101",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "SAP Companion versions ant\u00e9rieures \u00e0 3.1.38",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "SAP CRM WebClient UI versions S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, S4FND 107, S4FND 108, WEBCUIF 700, WEBCUIF 701, WEBCUIF 730, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800 et WEBCUIF 801",
"product": {
"name": "SAP CRM WebClient UI",
"vendor": {
"name": "SAP",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2024-24741",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-24741"
},
{
"name": "CVE-2024-22132",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22132"
},
{
"name": "CVE-2024-24739",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-24739"
},
{
"name": "CVE-2023-49580",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-49580"
},
{
"name": "CVE-2024-25643",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-25643"
},
{
"name": "CVE-2024-24742",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-24742"
},
{
"name": "CVE-2024-25642",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-25642"
},
{
"name": "CVE-2024-24740",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-24740"
},
{
"name": "CVE-2024-22129",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22129"
},
{
"name": "CVE-2024-22126",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22126"
},
{
"name": "CVE-2024-22128",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22128"
},
{
"name": "CVE-2024-22131",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22131"
},
{
"name": "CVE-2024-22130",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22130"
},
{
"name": "CVE-2023-49058",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-49058"
},
{
"name": "CVE-2024-24743",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-24743"
}
],
"initial_release_date": "2024-02-14T00:00:00",
"last_revision_date": "2024-02-14T00:00:00",
"links": [],
"reference": "CERTFR-2024-AVI-0125",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2024-02-14T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans SAP. Certaines\nd\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de\ncode arbitraire \u00e0 distance, une atteinte \u00e0 la confidentialit\u00e9 des\ndonn\u00e9es et une \u00e9l\u00e9vation de privil\u00e8ges.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans SAP",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 SAP february-2024 du 13 f\u00e9vrier 2024",
"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news/february-2024.html"
}
]
}
WID-SEC-W-2024-0355
Vulnerability from csaf_certbund
Published
2024-02-12 23:00
Modified
2024-02-12 23:00
Summary
SAP Software: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
SAP stellt unternehmensweite Lösungen für Geschäftsprozesse wie Buchführung, Vertrieb, Einkauf und Lagerhaltung zur Verfügung.
Angriff
Ein entfernter Angreifer kann mehrere Schwachstellen in der SAP-Software ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site Scripting (XSS)-Angriffe durchzuführen.
Betroffene Betriebssysteme
- UNIX
- Linux
- Windows
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "SAP stellt unternehmensweite L\u00f6sungen f\u00fcr Gesch\u00e4ftsprozesse wie Buchf\u00fchrung, Vertrieb, Einkauf und Lagerhaltung zur Verf\u00fcgung.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter Angreifer kann mehrere Schwachstellen in der SAP-Software ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site Scripting (XSS)-Angriffe durchzuf\u00fchren.",
"title": "Angriff"
},
{
"category": "general",
"text": "- UNIX\n- Linux\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2024-0355 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0355.json"
},
{
"category": "self",
"summary": "WID-SEC-2024-0355 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0355"
},
{
"category": "external",
"summary": "SAP Security Patch Day \u2013 February 2024 vom 2024-02-12",
"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news/february-2024.html"
}
],
"source_lang": "en-US",
"title": "SAP Software: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2024-02-12T23:00:00.000+00:00",
"generator": {
"date": "2024-08-15T18:05:07.923+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.5"
}
},
"id": "WID-SEC-W-2024-0355",
"initial_release_date": "2024-02-12T23:00:00.000+00:00",
"revision_history": [
{
"date": "2024-02-12T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "SAP Software",
"product": {
"name": "SAP Software",
"product_id": "T032707",
"product_identification_helper": {
"cpe": "cpe:/a:sap:sap:-"
}
}
}
],
"category": "vendor",
"name": "SAP"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-25643",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgem\u00e4\u00dfen Zertifikatsvalidierung, einer fehlenden Berechtigungspr\u00fcfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuf\u00fchren. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen."
}
],
"product_status": {
"known_affected": [
"T032707"
]
},
"release_date": "2024-02-12T23:00:00.000+00:00",
"title": "CVE-2024-25643"
},
{
"cve": "CVE-2024-25642",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgem\u00e4\u00dfen Zertifikatsvalidierung, einer fehlenden Berechtigungspr\u00fcfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuf\u00fchren. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen."
}
],
"product_status": {
"known_affected": [
"T032707"
]
},
"release_date": "2024-02-12T23:00:00.000+00:00",
"title": "CVE-2024-25642"
},
{
"cve": "CVE-2024-24743",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgem\u00e4\u00dfen Zertifikatsvalidierung, einer fehlenden Berechtigungspr\u00fcfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuf\u00fchren. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen."
}
],
"product_status": {
"known_affected": [
"T032707"
]
},
"release_date": "2024-02-12T23:00:00.000+00:00",
"title": "CVE-2024-24743"
},
{
"cve": "CVE-2024-24742",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgem\u00e4\u00dfen Zertifikatsvalidierung, einer fehlenden Berechtigungspr\u00fcfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuf\u00fchren. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen."
}
],
"product_status": {
"known_affected": [
"T032707"
]
},
"release_date": "2024-02-12T23:00:00.000+00:00",
"title": "CVE-2024-24742"
},
{
"cve": "CVE-2024-24741",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgem\u00e4\u00dfen Zertifikatsvalidierung, einer fehlenden Berechtigungspr\u00fcfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuf\u00fchren. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen."
}
],
"product_status": {
"known_affected": [
"T032707"
]
},
"release_date": "2024-02-12T23:00:00.000+00:00",
"title": "CVE-2024-24741"
},
{
"cve": "CVE-2024-24740",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgem\u00e4\u00dfen Zertifikatsvalidierung, einer fehlenden Berechtigungspr\u00fcfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuf\u00fchren. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen."
}
],
"product_status": {
"known_affected": [
"T032707"
]
},
"release_date": "2024-02-12T23:00:00.000+00:00",
"title": "CVE-2024-24740"
},
{
"cve": "CVE-2024-24739",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgem\u00e4\u00dfen Zertifikatsvalidierung, einer fehlenden Berechtigungspr\u00fcfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuf\u00fchren. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen."
}
],
"product_status": {
"known_affected": [
"T032707"
]
},
"release_date": "2024-02-12T23:00:00.000+00:00",
"title": "CVE-2024-24739"
},
{
"cve": "CVE-2024-22132",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgem\u00e4\u00dfen Zertifikatsvalidierung, einer fehlenden Berechtigungspr\u00fcfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuf\u00fchren. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen."
}
],
"product_status": {
"known_affected": [
"T032707"
]
},
"release_date": "2024-02-12T23:00:00.000+00:00",
"title": "CVE-2024-22132"
},
{
"cve": "CVE-2024-22131",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgem\u00e4\u00dfen Zertifikatsvalidierung, einer fehlenden Berechtigungspr\u00fcfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuf\u00fchren. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen."
}
],
"product_status": {
"known_affected": [
"T032707"
]
},
"release_date": "2024-02-12T23:00:00.000+00:00",
"title": "CVE-2024-22131"
},
{
"cve": "CVE-2024-22130",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgem\u00e4\u00dfen Zertifikatsvalidierung, einer fehlenden Berechtigungspr\u00fcfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuf\u00fchren. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen."
}
],
"product_status": {
"known_affected": [
"T032707"
]
},
"release_date": "2024-02-12T23:00:00.000+00:00",
"title": "CVE-2024-22130"
},
{
"cve": "CVE-2024-22129",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgem\u00e4\u00dfen Zertifikatsvalidierung, einer fehlenden Berechtigungspr\u00fcfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuf\u00fchren. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen."
}
],
"product_status": {
"known_affected": [
"T032707"
]
},
"release_date": "2024-02-12T23:00:00.000+00:00",
"title": "CVE-2024-22129"
},
{
"cve": "CVE-2024-22128",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgem\u00e4\u00dfen Zertifikatsvalidierung, einer fehlenden Berechtigungspr\u00fcfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuf\u00fchren. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen."
}
],
"product_status": {
"known_affected": [
"T032707"
]
},
"release_date": "2024-02-12T23:00:00.000+00:00",
"title": "CVE-2024-22128"
},
{
"cve": "CVE-2024-22126",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgem\u00e4\u00dfen Zertifikatsvalidierung, einer fehlenden Berechtigungspr\u00fcfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuf\u00fchren. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen."
}
],
"product_status": {
"known_affected": [
"T032707"
]
},
"release_date": "2024-02-12T23:00:00.000+00:00",
"title": "CVE-2024-22126"
},
{
"cve": "CVE-2023-49580",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgem\u00e4\u00dfen Zertifikatsvalidierung, einer fehlenden Berechtigungspr\u00fcfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuf\u00fchren. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen."
}
],
"product_status": {
"known_affected": [
"T032707"
]
},
"release_date": "2024-02-12T23:00:00.000+00:00",
"title": "CVE-2023-49580"
},
{
"cve": "CVE-2023-49058",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgem\u00e4\u00dfen Zertifikatsvalidierung, einer fehlenden Berechtigungspr\u00fcfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuf\u00fchren. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen."
}
],
"product_status": {
"known_affected": [
"T032707"
]
},
"release_date": "2024-02-12T23:00:00.000+00:00",
"title": "CVE-2023-49058"
}
]
}
wid-sec-w-2024-0355
Vulnerability from csaf_certbund
Published
2024-02-12 23:00
Modified
2024-02-12 23:00
Summary
SAP Software: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
SAP stellt unternehmensweite Lösungen für Geschäftsprozesse wie Buchführung, Vertrieb, Einkauf und Lagerhaltung zur Verfügung.
Angriff
Ein entfernter Angreifer kann mehrere Schwachstellen in der SAP-Software ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site Scripting (XSS)-Angriffe durchzuführen.
Betroffene Betriebssysteme
- UNIX
- Linux
- Windows
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "SAP stellt unternehmensweite L\u00f6sungen f\u00fcr Gesch\u00e4ftsprozesse wie Buchf\u00fchrung, Vertrieb, Einkauf und Lagerhaltung zur Verf\u00fcgung.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter Angreifer kann mehrere Schwachstellen in der SAP-Software ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site Scripting (XSS)-Angriffe durchzuf\u00fchren.",
"title": "Angriff"
},
{
"category": "general",
"text": "- UNIX\n- Linux\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2024-0355 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0355.json"
},
{
"category": "self",
"summary": "WID-SEC-2024-0355 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0355"
},
{
"category": "external",
"summary": "SAP Security Patch Day \u2013 February 2024 vom 2024-02-12",
"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news/february-2024.html"
}
],
"source_lang": "en-US",
"title": "SAP Software: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2024-02-12T23:00:00.000+00:00",
"generator": {
"date": "2024-08-15T18:05:07.923+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.5"
}
},
"id": "WID-SEC-W-2024-0355",
"initial_release_date": "2024-02-12T23:00:00.000+00:00",
"revision_history": [
{
"date": "2024-02-12T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "SAP Software",
"product": {
"name": "SAP Software",
"product_id": "T032707",
"product_identification_helper": {
"cpe": "cpe:/a:sap:sap:-"
}
}
}
],
"category": "vendor",
"name": "SAP"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-25643",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgem\u00e4\u00dfen Zertifikatsvalidierung, einer fehlenden Berechtigungspr\u00fcfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuf\u00fchren. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen."
}
],
"product_status": {
"known_affected": [
"T032707"
]
},
"release_date": "2024-02-12T23:00:00.000+00:00",
"title": "CVE-2024-25643"
},
{
"cve": "CVE-2024-25642",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgem\u00e4\u00dfen Zertifikatsvalidierung, einer fehlenden Berechtigungspr\u00fcfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuf\u00fchren. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen."
}
],
"product_status": {
"known_affected": [
"T032707"
]
},
"release_date": "2024-02-12T23:00:00.000+00:00",
"title": "CVE-2024-25642"
},
{
"cve": "CVE-2024-24743",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgem\u00e4\u00dfen Zertifikatsvalidierung, einer fehlenden Berechtigungspr\u00fcfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuf\u00fchren. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen."
}
],
"product_status": {
"known_affected": [
"T032707"
]
},
"release_date": "2024-02-12T23:00:00.000+00:00",
"title": "CVE-2024-24743"
},
{
"cve": "CVE-2024-24742",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgem\u00e4\u00dfen Zertifikatsvalidierung, einer fehlenden Berechtigungspr\u00fcfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuf\u00fchren. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen."
}
],
"product_status": {
"known_affected": [
"T032707"
]
},
"release_date": "2024-02-12T23:00:00.000+00:00",
"title": "CVE-2024-24742"
},
{
"cve": "CVE-2024-24741",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgem\u00e4\u00dfen Zertifikatsvalidierung, einer fehlenden Berechtigungspr\u00fcfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuf\u00fchren. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen."
}
],
"product_status": {
"known_affected": [
"T032707"
]
},
"release_date": "2024-02-12T23:00:00.000+00:00",
"title": "CVE-2024-24741"
},
{
"cve": "CVE-2024-24740",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgem\u00e4\u00dfen Zertifikatsvalidierung, einer fehlenden Berechtigungspr\u00fcfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuf\u00fchren. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen."
}
],
"product_status": {
"known_affected": [
"T032707"
]
},
"release_date": "2024-02-12T23:00:00.000+00:00",
"title": "CVE-2024-24740"
},
{
"cve": "CVE-2024-24739",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgem\u00e4\u00dfen Zertifikatsvalidierung, einer fehlenden Berechtigungspr\u00fcfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuf\u00fchren. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen."
}
],
"product_status": {
"known_affected": [
"T032707"
]
},
"release_date": "2024-02-12T23:00:00.000+00:00",
"title": "CVE-2024-24739"
},
{
"cve": "CVE-2024-22132",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgem\u00e4\u00dfen Zertifikatsvalidierung, einer fehlenden Berechtigungspr\u00fcfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuf\u00fchren. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen."
}
],
"product_status": {
"known_affected": [
"T032707"
]
},
"release_date": "2024-02-12T23:00:00.000+00:00",
"title": "CVE-2024-22132"
},
{
"cve": "CVE-2024-22131",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgem\u00e4\u00dfen Zertifikatsvalidierung, einer fehlenden Berechtigungspr\u00fcfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuf\u00fchren. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen."
}
],
"product_status": {
"known_affected": [
"T032707"
]
},
"release_date": "2024-02-12T23:00:00.000+00:00",
"title": "CVE-2024-22131"
},
{
"cve": "CVE-2024-22130",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgem\u00e4\u00dfen Zertifikatsvalidierung, einer fehlenden Berechtigungspr\u00fcfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuf\u00fchren. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen."
}
],
"product_status": {
"known_affected": [
"T032707"
]
},
"release_date": "2024-02-12T23:00:00.000+00:00",
"title": "CVE-2024-22130"
},
{
"cve": "CVE-2024-22129",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgem\u00e4\u00dfen Zertifikatsvalidierung, einer fehlenden Berechtigungspr\u00fcfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuf\u00fchren. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen."
}
],
"product_status": {
"known_affected": [
"T032707"
]
},
"release_date": "2024-02-12T23:00:00.000+00:00",
"title": "CVE-2024-22129"
},
{
"cve": "CVE-2024-22128",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgem\u00e4\u00dfen Zertifikatsvalidierung, einer fehlenden Berechtigungspr\u00fcfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuf\u00fchren. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen."
}
],
"product_status": {
"known_affected": [
"T032707"
]
},
"release_date": "2024-02-12T23:00:00.000+00:00",
"title": "CVE-2024-22128"
},
{
"cve": "CVE-2024-22126",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgem\u00e4\u00dfen Zertifikatsvalidierung, einer fehlenden Berechtigungspr\u00fcfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuf\u00fchren. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen."
}
],
"product_status": {
"known_affected": [
"T032707"
]
},
"release_date": "2024-02-12T23:00:00.000+00:00",
"title": "CVE-2024-22126"
},
{
"cve": "CVE-2023-49580",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgem\u00e4\u00dfen Zertifikatsvalidierung, einer fehlenden Berechtigungspr\u00fcfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuf\u00fchren. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen."
}
],
"product_status": {
"known_affected": [
"T032707"
]
},
"release_date": "2024-02-12T23:00:00.000+00:00",
"title": "CVE-2023-49580"
},
{
"cve": "CVE-2023-49058",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgem\u00e4\u00dfen Zertifikatsvalidierung, einer fehlenden Berechtigungspr\u00fcfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuf\u00fchren. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen."
}
],
"product_status": {
"known_affected": [
"T032707"
]
},
"release_date": "2024-02-12T23:00:00.000+00:00",
"title": "CVE-2023-49058"
}
]
}
ncsc-2025-0045
Vulnerability from csaf_ncscnl
Published
2025-02-11 09:08
Modified
2025-02-11 09:08
Summary
Kwetsbaarheden verholpen in SAP producten
Notes
The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:
NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.
NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.
This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.
Feiten
SAP heeft kwetsbaarheden verholpen in onder andere SAP NetWeaver, BusinessObjects Business Intelligence platform, Enterprise Project Connection en Commerce.
Interpretaties
De kwetsbaarheden in SAP NetWeaver omvatten een gebrek aan toegangscontrole, wat ongeauthenticeerde aanvallers in staat stelt om toegang te krijgen tot gevoelige serverinstellingen en gegevens. Daarnaast zijn er Cross-Site Scripting kwetsbaarheden in SAP producten die de vertrouwelijkheid van gegevens ernstig kunnen aantasten. De kwetsbaarheden kunnen worden misbruikt door aanvallers om ongeautoriseerde toegang te verkrijgen tot gevoelige informatie, wat kan leiden tot datalekken en andere beveiligingsincidenten.
Oplossingen
SAP heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.
Kans
medium
Schade
high
CWE-921
Storage of Sensitive Data in a Mechanism without Access Control
CWE-1021
Improper Restriction of Rendered UI Layers or Frames
CWE-1188
Initialization of a Resource with an Insecure Default
CWE-178
Improper Handling of Case Sensitivity
CWE-732
Incorrect Permission Assignment for Critical Resource
CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CWE-644
Improper Neutralization of HTTP Headers for Scripting Syntax
CWE-204
Observable Response Discrepancy
CWE-404
Improper Resource Shutdown or Release
CWE-306
Missing Authentication for Critical Function
CWE-862
Missing Authorization
CWE-352
Cross-Site Request Forgery (CSRF)
CWE-284
Improper Access Control
CWE-863
Incorrect Authorization
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-287
Improper Authentication
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
{
"document": {
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE"
}
},
"lang": "nl",
"notes": [
{
"category": "legal_disclaimer",
"text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
},
{
"category": "description",
"text": "SAP heeft kwetsbaarheden verholpen in onder andere SAP NetWeaver, BusinessObjects Business Intelligence platform, Enterprise Project Connection en Commerce.",
"title": "Feiten"
},
{
"category": "description",
"text": "De kwetsbaarheden in SAP NetWeaver omvatten een gebrek aan toegangscontrole, wat ongeauthenticeerde aanvallers in staat stelt om toegang te krijgen tot gevoelige serverinstellingen en gegevens. Daarnaast zijn er Cross-Site Scripting kwetsbaarheden in SAP producten die de vertrouwelijkheid van gegevens ernstig kunnen aantasten. De kwetsbaarheden kunnen worden misbruikt door aanvallers om ongeautoriseerde toegang te verkrijgen tot gevoelige informatie, wat kan leiden tot datalekken en andere beveiligingsincidenten.",
"title": "Interpretaties"
},
{
"category": "description",
"text": "SAP heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.",
"title": "Oplossingen"
},
{
"category": "general",
"text": "medium",
"title": "Kans"
},
{
"category": "general",
"text": "high",
"title": "Schade"
},
{
"category": "general",
"text": "Storage of Sensitive Data in a Mechanism without Access Control",
"title": "CWE-921"
},
{
"category": "general",
"text": "Improper Restriction of Rendered UI Layers or Frames",
"title": "CWE-1021"
},
{
"category": "general",
"text": "Initialization of a Resource with an Insecure Default",
"title": "CWE-1188"
},
{
"category": "general",
"text": "Improper Handling of Case Sensitivity",
"title": "CWE-178"
},
{
"category": "general",
"text": "Incorrect Permission Assignment for Critical Resource",
"title": "CWE-732"
},
{
"category": "general",
"text": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"title": "CWE-601"
},
{
"category": "general",
"text": "Improper Neutralization of HTTP Headers for Scripting Syntax",
"title": "CWE-644"
},
{
"category": "general",
"text": "Observable Response Discrepancy",
"title": "CWE-204"
},
{
"category": "general",
"text": "Improper Resource Shutdown or Release",
"title": "CWE-404"
},
{
"category": "general",
"text": "Missing Authentication for Critical Function",
"title": "CWE-306"
},
{
"category": "general",
"text": "Missing Authorization",
"title": "CWE-862"
},
{
"category": "general",
"text": "Cross-Site Request Forgery (CSRF)",
"title": "CWE-352"
},
{
"category": "general",
"text": "Improper Access Control",
"title": "CWE-284"
},
{
"category": "general",
"text": "Incorrect Authorization",
"title": "CWE-863"
},
{
"category": "general",
"text": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"title": "CWE-22"
},
{
"category": "general",
"text": "Improper Authentication",
"title": "CWE-287"
},
{
"category": "general",
"text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"title": "CWE-79"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "cert@ncsc.nl",
"name": "Nationaal Cyber Security Centrum",
"namespace": "https://www.ncsc.nl/"
},
"references": [
{
"category": "external",
"summary": "Reference - ncscclear",
"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news/february-2025.html"
}
],
"title": "Kwetsbaarheden verholpen in SAP producten",
"tracking": {
"current_release_date": "2025-02-11T09:08:48.427126Z",
"id": "NCSC-2025-0045",
"initial_release_date": "2025-02-11T09:08:48.427126Z",
"revision_history": [
{
"date": "2025-02-11T09:08:48.427126Z",
"number": "0",
"summary": "Initiele versie"
}
],
"status": "final",
"version": "1.0.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "supplier_relationship_management",
"product": {
"name": "supplier_relationship_management",
"product_id": "CSAFPID-1760711",
"product_identification_helper": {
"cpe": "cpe:2.3:a:sap:supplier_relationship_management:7.52:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "netweaver",
"product": {
"name": "netweaver",
"product_id": "CSAFPID-16504",
"product_identification_helper": {
"cpe": "cpe:2.3:a:sap:netweaver:application_server_java:7.50:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "netweaver_server_abap",
"product": {
"name": "netweaver_server_abap",
"product_id": "CSAFPID-1760738",
"product_identification_helper": {
"cpe": "cpe:2.3:a:sap:netweaver_server_abap:758:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "netweaver_java_application_server",
"product": {
"name": "netweaver_java_application_server",
"product_id": "CSAFPID-406035",
"product_identification_helper": {
"cpe": "cpe:2.3:a:sap:netweaver_java_application_server:7.5:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "netweaver_as_java",
"product": {
"name": "netweaver_as_java",
"product_id": "CSAFPID-837776",
"product_identification_helper": {
"cpe": "cpe:2.3:a:sap:netweaver_as_java:7.50:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "netweaver_application_server_java",
"product": {
"name": "netweaver_application_server_java",
"product_id": "CSAFPID-1760739",
"product_identification_helper": {
"cpe": "cpe:2.3:a:sap:netweaver_application_server_java:*:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "netweaver_as_java_for_deploy_service",
"product": {
"name": "netweaver_as_java_for_deploy_service",
"product_id": "CSAFPID-1759878",
"product_identification_helper": {
"cpe": "cpe:2.3:a:sap:netweaver_as_java_for_deploy_service:*:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "abap_platform",
"product": {
"name": "abap_platform",
"product_id": "CSAFPID-340940",
"product_identification_helper": {
"cpe": "cpe:2.3:a:sap:abap_platform:758:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "commerce_backoffice",
"product": {
"name": "commerce_backoffice",
"product_id": "CSAFPID-1760724",
"product_identification_helper": {
"cpe": "cpe:2.3:a:sap:commerce_backoffice:*:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "commerce",
"product": {
"name": "commerce",
"product_id": "CSAFPID-234320",
"product_identification_helper": {
"cpe": "cpe:2.3:a:sap:commerce:*:*:*:*:*:*:*:*"
}
}
}
],
"category": "vendor",
"name": "sap"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-24527",
"cwe": {
"id": "CWE-306",
"name": "Missing Authentication for Critical Function"
},
"notes": [
{
"category": "other",
"text": "Missing Authentication for Critical Function",
"title": "CWE-306"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2023-24527",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-24527.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
}
],
"title": "CVE-2023-24527"
},
{
"cve": "CVE-2024-22126",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"title": "CWE-79"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-22126",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-22126.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L",
"version": "3.0"
},
"products": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
}
],
"title": "CVE-2024-22126"
},
{
"cve": "CVE-2024-38819",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"title": "CWE-22"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-38819",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-38819.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
}
],
"title": "CVE-2024-38819"
},
{
"cve": "CVE-2024-38820",
"cwe": {
"id": "CWE-284",
"name": "Improper Access Control"
},
"notes": [
{
"category": "other",
"text": "Improper Access Control",
"title": "CWE-284"
},
{
"category": "other",
"text": "Improper Handling of Case Sensitivity",
"title": "CWE-178"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-38820",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-38820.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
}
],
"title": "CVE-2024-38820"
},
{
"cve": "CVE-2024-38828",
"cwe": {
"id": "CWE-404",
"name": "Improper Resource Shutdown or Release"
},
"notes": [
{
"category": "other",
"text": "Improper Resource Shutdown or Release",
"title": "CWE-404"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-38828",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-38828.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
}
],
"title": "CVE-2024-38828"
},
{
"cve": "CVE-2024-45216",
"cwe": {
"id": "CWE-287",
"name": "Improper Authentication"
},
"notes": [
{
"category": "other",
"text": "Improper Authentication",
"title": "CWE-287"
},
{
"category": "other",
"text": "Incorrect Authorization",
"title": "CWE-863"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-45216",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-45216.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
}
],
"title": "CVE-2024-45216"
},
{
"cve": "CVE-2024-45217",
"cwe": {
"id": "CWE-1188",
"name": "Initialization of a Resource with an Insecure Default"
},
"notes": [
{
"category": "other",
"text": "Initialization of a Resource with an Insecure Default",
"title": "CWE-1188"
},
{
"category": "general",
"text": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-45217",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-45217.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
}
],
"title": "CVE-2024-45217"
},
{
"cve": "CVE-2025-0054",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"title": "CWE-79"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-0054",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2025/CVE-2025-0054.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
}
],
"title": "CVE-2025-0054"
},
{
"cve": "CVE-2025-0064",
"cwe": {
"id": "CWE-732",
"name": "Incorrect Permission Assignment for Critical Resource"
},
"notes": [
{
"category": "other",
"text": "Incorrect Permission Assignment for Critical Resource",
"title": "CWE-732"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-0064",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2025/CVE-2025-0064.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
}
],
"title": "CVE-2025-0064"
},
{
"cve": "CVE-2025-23187",
"cwe": {
"id": "CWE-862",
"name": "Missing Authorization"
},
"notes": [
{
"category": "other",
"text": "Missing Authorization",
"title": "CWE-862"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-23187",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2025/CVE-2025-23187.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
}
],
"title": "CVE-2025-23187"
},
{
"cve": "CVE-2025-23189",
"cwe": {
"id": "CWE-862",
"name": "Missing Authorization"
},
"notes": [
{
"category": "other",
"text": "Missing Authorization",
"title": "CWE-862"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-23189",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2025/CVE-2025-23189.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
}
],
"title": "CVE-2025-23189"
},
{
"cve": "CVE-2025-23190",
"cwe": {
"id": "CWE-862",
"name": "Missing Authorization"
},
"notes": [
{
"category": "other",
"text": "Missing Authorization",
"title": "CWE-862"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-23190",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2025/CVE-2025-23190.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
}
],
"title": "CVE-2025-23190"
},
{
"cve": "CVE-2025-23191",
"cwe": {
"id": "CWE-644",
"name": "Improper Neutralization of HTTP Headers for Scripting Syntax"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of HTTP Headers for Scripting Syntax",
"title": "CWE-644"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-23191",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2025/CVE-2025-23191.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
}
],
"title": "CVE-2025-23191"
},
{
"cve": "CVE-2025-23193",
"cwe": {
"id": "CWE-204",
"name": "Observable Response Discrepancy"
},
"notes": [
{
"category": "other",
"text": "Observable Response Discrepancy",
"title": "CWE-204"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-23193",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2025/CVE-2025-23193.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
}
],
"title": "CVE-2025-23193"
},
{
"cve": "CVE-2025-24867",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"title": "CWE-79"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-24867",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2025/CVE-2025-24867.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
}
],
"title": "CVE-2025-24867"
},
{
"cve": "CVE-2025-24868",
"cwe": {
"id": "CWE-601",
"name": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
},
"notes": [
{
"category": "other",
"text": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"title": "CWE-601"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-24868",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2025/CVE-2025-24868.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
}
],
"title": "CVE-2025-24868"
},
{
"cve": "CVE-2025-24869",
"cwe": {
"id": "CWE-863",
"name": "Incorrect Authorization"
},
"notes": [
{
"category": "other",
"text": "Incorrect Authorization",
"title": "CWE-863"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-24869",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2025/CVE-2025-24869.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
}
],
"title": "CVE-2025-24869"
},
{
"cve": "CVE-2025-24870",
"cwe": {
"id": "CWE-921",
"name": "Storage of Sensitive Data in a Mechanism without Access Control"
},
"notes": [
{
"category": "other",
"text": "Storage of Sensitive Data in a Mechanism without Access Control",
"title": "CWE-921"
},
{
"category": "general",
"text": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-24870",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2025/CVE-2025-24870.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.0,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
}
],
"title": "CVE-2025-24870"
},
{
"cve": "CVE-2025-24872",
"cwe": {
"id": "CWE-863",
"name": "Incorrect Authorization"
},
"notes": [
{
"category": "other",
"text": "Incorrect Authorization",
"title": "CWE-863"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-24872",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2025/CVE-2025-24872.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
}
],
"title": "CVE-2025-24872"
},
{
"cve": "CVE-2025-24874",
"cwe": {
"id": "CWE-1021",
"name": "Improper Restriction of Rendered UI Layers or Frames"
},
"notes": [
{
"category": "other",
"text": "Improper Restriction of Rendered UI Layers or Frames",
"title": "CWE-1021"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-24874",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2025/CVE-2025-24874.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
}
],
"title": "CVE-2025-24874"
},
{
"cve": "CVE-2025-24875",
"cwe": {
"id": "CWE-352",
"name": "Cross-Site Request Forgery (CSRF)"
},
"notes": [
{
"category": "other",
"text": "Cross-Site Request Forgery (CSRF)",
"title": "CWE-352"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-24875",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2025/CVE-2025-24875.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
}
],
"title": "CVE-2025-24875"
},
{
"cve": "CVE-2025-24876",
"cwe": {
"id": "CWE-601",
"name": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
},
"notes": [
{
"category": "other",
"text": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"title": "CWE-601"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-24876",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2025/CVE-2025-24876.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
}
],
"title": "CVE-2025-24876"
},
{
"cve": "CVE-2025-25241",
"cwe": {
"id": "CWE-862",
"name": "Missing Authorization"
},
"notes": [
{
"category": "other",
"text": "Missing Authorization",
"title": "CWE-862"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-25241",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2025/CVE-2025-25241.json"
}
],
"title": "CVE-2025-25241"
},
{
"cve": "CVE-2025-25243",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"title": "CWE-22"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-25243",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2025/CVE-2025-25243.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
}
],
"title": "CVE-2025-25243"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…