Vulnerabilites related to sap - customer_relationship_management
Vulnerability from fkie_nvd
Published
2017-10-16 16:29
Modified
2024-11-21 03:14
Severity ?
Summary
The Java administration console in SAP CRM has XSS. This is SAP Security Note 2478964.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.securityfocus.com/bid/99532 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://blogs.sap.com/2017/07/11/sap-security-patch-day-july-2017/ | Issue Tracking, Vendor Advisory | |
| cve@mitre.org | https://erpscan.io/advisories/erpscan-17-035-xss-crm-administration-console-java/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/99532 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blogs.sap.com/2017/07/11/sap-security-patch-day-july-2017/ | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://erpscan.io/advisories/erpscan-17-035-xss-crm-administration-console-java/ | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | customer_relationship_management | 700 | |
| sap | customer_relationship_management | 701 | |
| sap | customer_relationship_management | 702 | |
| sap | customer_relationship_management | 730 | |
| sap | customer_relationship_management | 731 | |
| sap | customer_relationship_management | 732 | |
| sap | customer_relationship_management | 733 | |
| sap | customer_relationship_management | 754 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management:700:*:*:*:*:*:*:*",
"matchCriteriaId": "082053C1-23F5-43E1-B2FD-5ECDE3EFC101",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management:701:*:*:*:*:*:*:*",
"matchCriteriaId": "1827CD2E-82B5-4D80-B606-ECEA9977905E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management:702:*:*:*:*:*:*:*",
"matchCriteriaId": "33C39D15-9A98-4051-A086-A08EB3E3776D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management:730:*:*:*:*:*:*:*",
"matchCriteriaId": "F33C8A97-75A2-4204-BCB5-A659507E0021",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management:731:*:*:*:*:*:*:*",
"matchCriteriaId": "656B4713-912E-4ACF-A519-81756935089C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management:732:*:*:*:*:*:*:*",
"matchCriteriaId": "73DBF50A-1E14-4FAF-B615-78B30281F830",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management:733:*:*:*:*:*:*:*",
"matchCriteriaId": "7FDA3E3C-4FD7-4389-8D9C-4BA54C3546B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management:754:*:*:*:*:*:*:*",
"matchCriteriaId": "907B43A3-DCDD-4F59-9A50-B56055FFB5AC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Java administration console in SAP CRM has XSS. This is SAP Security Note 2478964."
},
{
"lang": "es",
"value": "La consola de administraci\u00f3n Java en SAP CRM tiene XSS. Esto corresponde con SAP Security Note 2478964."
}
],
"id": "CVE-2017-15294",
"lastModified": "2024-11-21T03:14:24.290",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-10-16T16:29:00.950",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/99532"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://blogs.sap.com/2017/07/11/sap-security-patch-day-july-2017/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://erpscan.io/advisories/erpscan-17-035-xss-crm-administration-console-java/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/99532"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://blogs.sap.com/2017/07/11/sap-security-patch-day-july-2017/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://erpscan.io/advisories/erpscan-17-035-xss-crm-administration-console-java/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-03-01 17:29
Modified
2025-01-29 21:15
Severity ?
6.6 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L
6.6 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L
6.6 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L
Summary
SAP CRM, 7.01, 7.02,7.30, 7.31, 7.33, 7.54, allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing "traverse to parent directory" are passed through to the file APIs.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | customer_relationship_management | 7.01 | |
| sap | customer_relationship_management | 7.02 | |
| sap | customer_relationship_management | 7.30 | |
| sap | customer_relationship_management | 7.31 | |
| sap | customer_relationship_management | 7.33 | |
| sap | customer_relationship_management | 7.54 |
{
"cisaActionDue": "2022-05-03",
"cisaExploitAdd": "2021-11-03",
"cisaRequiredAction": "Apply updates per vendor instructions.",
"cisaVulnerabilityName": "SAP Customer Relationship Management (CRM) Path Traversal Vulnerability",
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management:7.01:*:*:*:*:*:*:*",
"matchCriteriaId": "136E88EF-877A-4881-B098-3472E02FC45A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management:7.02:*:*:*:*:*:*:*",
"matchCriteriaId": "3029F4DC-63CD-49C6-A98E-5A5B01E104FA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management:7.30:*:*:*:*:*:*:*",
"matchCriteriaId": "51E097C6-61E3-4D8A-ABEC-A32BA68E3D87",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management:7.31:*:*:*:*:*:*:*",
"matchCriteriaId": "4258AAE6-ABD0-47C1-B794-E68D3A57EEE0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management:7.33:*:*:*:*:*:*:*",
"matchCriteriaId": "4392BD0F-A286-4AEA-89E5-D151034C9055",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management:7.54:*:*:*:*:*:*:*",
"matchCriteriaId": "CFD82446-BD1D-40E7-A216-2239B7D07691",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SAP CRM, 7.01, 7.02,7.30, 7.31, 7.33, 7.54, allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing \"traverse to parent directory\" are passed through to the file APIs."
},
{
"lang": "es",
"value": "SAP CRM 7.01, 7.02, 7.30, 7.31, 7.33 y 7.54 permite que un atacante explote la validaci\u00f3n insuficiente de la informaci\u00f3n de ruta proporcionada por los usuarios, por lo que los caracteres que representan \"salto al directorio padre\" se pasan a las API de archivo."
}
],
"id": "CVE-2018-2380",
"lastModified": "2025-01-29T21:15:08.910",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 3.7,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 3.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2018-03-01T17:29:00.413",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/103001"
},
{
"source": "cna@sap.com",
"tags": [
"Vendor Advisory"
],
"url": "https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018/"
},
{
"source": "cna@sap.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/erpscanteam/CVE-2018-2380"
},
{
"source": "cna@sap.com",
"tags": [
"Permissions Required"
],
"url": "https://launchpad.support.sap.com/#/notes/2547431"
},
{
"source": "cna@sap.com",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/44292/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/103001"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/erpscanteam/CVE-2018-2380"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required"
],
"url": "https://launchpad.support.sap.com/#/notes/2547431"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/44292/"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2015-05-12 20:59
Modified
2024-11-21 02:30
Severity ?
Summary
Unspecified vulnerability in the Business Rules Framework (CRM-BF-BRF) in SAP CRM allows attackers to execute arbitrary code via unknown vectors, aka SAP Security Note 2097534.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | customer_relationship_management | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management:-:*:*:*:*:*:*:*",
"matchCriteriaId": "376632C5-D6E0-4B4D-8513-7DFF8B2181E2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Unspecified vulnerability in the Business Rules Framework (CRM-BF-BRF) in SAP CRM allows attackers to execute arbitrary code via unknown vectors, aka SAP Security Note 2097534."
},
{
"lang": "es",
"value": "Vulnerabilidad no especificada en el Framework Business Rules (CRM-BF-BRF) en SAP CRM permite a atacantes ejecutar c\u00f3digo arbitrario a trav\u00e9s de vectores desconocidos, tambi\u00e9n conocido como la nota de seguridad de SAP 2097534."
}
],
"id": "CVE-2015-3979",
"lastModified": "2024-11-21T02:30:11.663",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2015-05-12T20:59:01.287",
"references": [
{
"source": "cve@mitre.org",
"url": "http://www.onapsis.com/blog/analyzing-sap-security-notes-april-2015-edition/"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/74626"
},
{
"source": "cve@mitre.org",
"url": "http://www.securitytracker.com/id/1032309"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.onapsis.com/blog/analyzing-sap-security-notes-april-2015-edition/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/74626"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id/1032309"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-10-16 16:29
Modified
2024-11-21 03:14
Severity ?
Summary
The Java component in SAP CRM has CSRF. This is SAP Security Note 2478964.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | customer_relationship_management | 700 | |
| sap | customer_relationship_management | 701 | |
| sap | customer_relationship_management | 702 | |
| sap | customer_relationship_management | 730 | |
| sap | customer_relationship_management | 731 | |
| sap | customer_relationship_management | 732 | |
| sap | customer_relationship_management | 733 | |
| sap | customer_relationship_management | 754 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management:700:*:*:*:*:*:*:*",
"matchCriteriaId": "082053C1-23F5-43E1-B2FD-5ECDE3EFC101",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management:701:*:*:*:*:*:*:*",
"matchCriteriaId": "1827CD2E-82B5-4D80-B606-ECEA9977905E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management:702:*:*:*:*:*:*:*",
"matchCriteriaId": "33C39D15-9A98-4051-A086-A08EB3E3776D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management:730:*:*:*:*:*:*:*",
"matchCriteriaId": "F33C8A97-75A2-4204-BCB5-A659507E0021",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management:731:*:*:*:*:*:*:*",
"matchCriteriaId": "656B4713-912E-4ACF-A519-81756935089C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management:732:*:*:*:*:*:*:*",
"matchCriteriaId": "73DBF50A-1E14-4FAF-B615-78B30281F830",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management:733:*:*:*:*:*:*:*",
"matchCriteriaId": "7FDA3E3C-4FD7-4389-8D9C-4BA54C3546B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management:754:*:*:*:*:*:*:*",
"matchCriteriaId": "907B43A3-DCDD-4F59-9A50-B56055FFB5AC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Java component in SAP CRM has CSRF. This is SAP Security Note 2478964."
},
{
"lang": "es",
"value": "El componente Java en SAP CRM tiene CSRF. Esto corresponde con SAP Security Note 2478964."
}
],
"id": "CVE-2017-15296",
"lastModified": "2024-11-21T03:14:24.560",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-10-16T16:29:01.090",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://blogs.sap.com/2017/07/11/sap-security-patch-day-july-2017/"
},
{
"source": "cve@mitre.org",
"url": "https://erpscan.io/advisories/erpscan-17-036-csrf-sap-java-crm/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://blogs.sap.com/2017/07/11/sap-security-patch-day-july-2017/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://erpscan.io/advisories/erpscan-17-036-csrf-sap-java-crm/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-02-14 15:55
Modified
2024-11-21 02:05
Severity ?
Summary
Gwsync in SAP CRM 7.02 EHP 2 allows remote attackers to obtain sensitive information via unspecified vectors, related to an XML External Entity (XXE) issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | customer_relationship_management | 7.02 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management:7.02:ehp2:*:*:*:*:*:*",
"matchCriteriaId": "E077761A-94DE-42EE-A781-1F351249A4D8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Gwsync in SAP CRM 7.02 EHP 2 allows remote attackers to obtain sensitive information via unspecified vectors, related to an XML External Entity (XXE) issue."
},
{
"lang": "es",
"value": "Gwsync en SAP CRM 7.02 EHP 2 permite a atacantes remotos obtener informaci\u00f3n sensible a trav\u00e9s de vectores no especificados, relacionado con un problema de XML External Entity (XXE)."
}
],
"id": "CVE-2014-1962",
"lastModified": "2024-11-21T02:05:21.640",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-02-14T15:55:07.500",
"references": [
{
"source": "cve@mitre.org",
"url": "http://scn.sap.com/docs/DOC-8218"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/56944"
},
{
"source": "cve@mitre.org",
"url": "https://erpscan.io/advisories/erpscan-14-003-sap-crm-gwsync-xxe/"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/91098"
},
{
"source": "cve@mitre.org",
"url": "https://service.sap.com/sap/support/notes/1917054"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://scn.sap.com/docs/DOC-8218"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/56944"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://erpscan.io/advisories/erpscan-14-003-sap-crm-gwsync-xxe/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/91098"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://service.sap.com/sap/support/notes/1917054"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2015-05-12 20:59
Modified
2024-11-21 02:30
Severity ?
Summary
SQL injection vulnerability in the Business Rules Framework (CRM-BF-BRF) in SAP CRM allows attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2097534.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | customer_relationship_management | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management:-:*:*:*:*:*:*:*",
"matchCriteriaId": "376632C5-D6E0-4B4D-8513-7DFF8B2181E2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in the Business Rules Framework (CRM-BF-BRF) in SAP CRM allows attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2097534."
},
{
"lang": "es",
"value": "Vulnerabilidad de inyecci\u00f3n SQL en el Framework Business Rules (CRM-BF-BRF) en SAP CRM permite a atacantes remotos ejecutar comandos SQL arbitrarios a trav\u00e9s de vectores no especificados, tambi\u00e9n conocida como la nota de seguridad de SAP 2097534."
}
],
"id": "CVE-2015-3980",
"lastModified": "2024-11-21T02:30:11.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2015-05-12T20:59:02.520",
"references": [
{
"source": "cve@mitre.org",
"url": "http://www.onapsis.com/blog/analyzing-sap-security-notes-april-2015-edition/"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/74624"
},
{
"source": "cve@mitre.org",
"url": "http://www.securitytracker.com/id/1032309"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.onapsis.com/blog/analyzing-sap-security-notes-april-2015-edition/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/74624"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id/1032309"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2013-12-13 20:08
Modified
2024-11-21 02:00
Severity ?
Summary
The XML parser (crm_flex_data) in SAP Customer Relationship Management (CRM) 7.02 EHP 2 has unknown impact and attack vectors related to an XML External Entity (XXE) issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | customer_relationship_management | 7.02 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management:7.02:ehp2:*:*:*:*:*:*",
"matchCriteriaId": "E077761A-94DE-42EE-A781-1F351249A4D8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The XML parser (crm_flex_data) in SAP Customer Relationship Management (CRM) 7.02 EHP 2 has unknown impact and attack vectors related to an XML External Entity (XXE) issue."
},
{
"lang": "es",
"value": "El analizador XML (crm_flex_data) en SAP Customer Relationship Management (CRM) 7.02 EHP tiene impacto desconocido y vectores de ataque relacionados problemas con la entidades externas XML (XXE)."
}
],
"id": "CVE-2013-7095",
"lastModified": "2024-11-21T02:00:20.333",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2013-12-13T20:08:40.907",
"references": [
{
"source": "cve@mitre.org",
"url": "http://scn.sap.com/docs/DOC-8218"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/56064"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/64265"
},
{
"source": "cve@mitre.org",
"url": "http://www.securitytracker.com/id/1029488"
},
{
"source": "cve@mitre.org",
"url": "https://erpscan.io/advisories/erpscan-13-025-sap-crm-crm_flex_data-xxe/"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/89703"
},
{
"source": "cve@mitre.org",
"url": "https://service.sap.com/sap/support/notes/1909665"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://scn.sap.com/docs/DOC-8218"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/56064"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/64265"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id/1029488"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://erpscan.io/advisories/erpscan-13-025-sap-crm-crm_flex_data-xxe/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/89703"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://service.sap.com/sap/support/notes/1909665"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-04-11 03:15
Modified
2024-11-21 07:53
Severity ?
6.0 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L
6.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
6.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Summary
In SAP CRM - versions 700, 701, 702, 712, 713, an attacker who is authenticated with a non-administrative role and a common remote execution authorization can use a vulnerable interface to execute an application function to perform actions which they would not normally be permitted to perform. Depending on the function executed, the attack can can have limited impact on confidentiality and integrity of non-critical user or application data and application availability.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | customer_relationship_management | 700 | |
| sap | customer_relationship_management | 701 | |
| sap | customer_relationship_management | 702 | |
| sap | customer_relationship_management | 712 | |
| sap | customer_relationship_management | 713 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management:700:*:*:*:*:*:*:*",
"matchCriteriaId": "082053C1-23F5-43E1-B2FD-5ECDE3EFC101",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management:701:*:*:*:*:*:*:*",
"matchCriteriaId": "1827CD2E-82B5-4D80-B606-ECEA9977905E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management:702:*:*:*:*:*:*:*",
"matchCriteriaId": "33C39D15-9A98-4051-A086-A08EB3E3776D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management:712:*:*:*:*:*:*:*",
"matchCriteriaId": "1E6F69C1-E6CD-4B48-BE75-66BC355EA643",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management:713:*:*:*:*:*:*:*",
"matchCriteriaId": "69E8FBB3-92C7-4B2A-8A4E-E30EB6B64F7C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In SAP CRM - versions 700, 701, 702, 712, 713, an attacker who is authenticated with a non-administrative role and a common remote execution authorization can use a vulnerable interface to execute an application function to perform actions which they would not normally be permitted to perform. Depending on the function executed, the attack can can have limited impact on confidentiality and integrity of non-critical user or application data and application availability.\n\n"
}
],
"id": "CVE-2023-27897",
"lastModified": "2024-11-21T07:53:39.440",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 3.7,
"source": "cna@sap.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-04-11T03:15:07.613",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Permissions Required"
],
"url": "https://launchpad.support.sap.com/#/notes/3309056"
},
{
"source": "cna@sap.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required"
],
"url": "https://launchpad.support.sap.com/#/notes/3309056"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "cna@sap.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-07-14 12:15
Modified
2024-11-21 06:09
Severity ?
Summary
A missing authority check in SAP CRM, versions - 700, 701, 702, 712, 713, 714, could be leveraged by an attacker with high privileges to compromise confidentiality, integrity, or availability of the system.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://launchpad.support.sap.com/#/notes/3066316 | Permissions Required | |
| cna@sap.com | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/3066316 | Permissions Required | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | customer_relationship_management | 700 | |
| sap | customer_relationship_management | 701 | |
| sap | customer_relationship_management | 702 | |
| sap | customer_relationship_management | 712 | |
| sap | customer_relationship_management | 713 | |
| sap | customer_relationship_management | 714 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management:700:*:*:*:*:*:*:*",
"matchCriteriaId": "082053C1-23F5-43E1-B2FD-5ECDE3EFC101",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management:701:*:*:*:*:*:*:*",
"matchCriteriaId": "1827CD2E-82B5-4D80-B606-ECEA9977905E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management:702:*:*:*:*:*:*:*",
"matchCriteriaId": "33C39D15-9A98-4051-A086-A08EB3E3776D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management:712:*:*:*:*:*:*:*",
"matchCriteriaId": "1E6F69C1-E6CD-4B48-BE75-66BC355EA643",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management:713:*:*:*:*:*:*:*",
"matchCriteriaId": "69E8FBB3-92C7-4B2A-8A4E-E30EB6B64F7C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management:714:*:*:*:*:*:*:*",
"matchCriteriaId": "93135E4D-F522-4A0C-9580-DBF6FC51931A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A missing authority check in SAP CRM, versions - 700, 701, 702, 712, 713, 714, could be leveraged by an attacker with high privileges to compromise confidentiality, integrity, or availability of the system."
},
{
"lang": "es",
"value": "Una falta de comprobaci\u00f3n de autoridad en SAP CRM, versiones - 700, 701, 702, 712, 713, 714, podr\u00eda ser aprovechada por un atacante con altos privilegios para comprometer la confidencialidad, integridad o disponibilidad del sistema"
}
],
"id": "CVE-2021-33676",
"lastModified": "2024-11-21T06:09:20.477",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 0.9,
"impactScore": 5.9,
"source": "cna@sap.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-07-14T12:15:08.307",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Permissions Required"
],
"url": "https://launchpad.support.sap.com/#/notes/3066316"
},
{
"source": "cna@sap.com",
"tags": [
"Vendor Advisory"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required"
],
"url": "https://launchpad.support.sap.com/#/notes/3066316"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-11-06 15:55
Modified
2024-11-21 02:19
Severity ?
Summary
The SAP Promotion Guidelines (CRM-MKT-MPL-TPM-PPG) module for SAP CRM allows remote attackers to execute arbitrary code via unspecified vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | customer_relationship_management | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:customer_relationship_management:-:*:*:*:*:*:*:*",
"matchCriteriaId": "376632C5-D6E0-4B4D-8513-7DFF8B2181E2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The SAP Promotion Guidelines (CRM-MKT-MPL-TPM-PPG) module for SAP CRM allows remote attackers to execute arbitrary code via unspecified vectors."
},
{
"lang": "es",
"value": "El m\u00f3dulo SAP Promotion Guidelines (CRM-MKT-MPL-TPM-PPG) para SAP CRM permite a atacantes remotos ejecutar c\u00f3digo arbitrario a trav\u00e9s de vectores no especificados."
}
],
"id": "CVE-2014-8669",
"lastModified": "2024-11-21T02:19:33.567",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": true,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-11-06T15:55:14.710",
"references": [
{
"source": "cve@mitre.org",
"url": "http://blog.onapsis.com/analyzing-sap-security-notes-october-2014-edition/"
},
{
"source": "cve@mitre.org",
"url": "http://service.sap.com/sap/support/notes/0001835691"
},
{
"source": "cve@mitre.org",
"url": "http://service.sap.com/sap/support/notes/0001872638"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://blog.onapsis.com/analyzing-sap-security-notes-october-2014-edition/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://service.sap.com/sap/support/notes/0001835691"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://service.sap.com/sap/support/notes/0001872638"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
cve-2023-27897
Vulnerability from cvelistv5
Published
2023-04-11 02:50
Modified
2025-02-07 16:54
Severity ?
EPSS score ?
Summary
In SAP CRM - versions 700, 701, 702, 712, 713, an attacker who is authenticated with a non-administrative role and a common remote execution authorization can use a vulnerable interface to execute an application function to perform actions which they would not normally be permitted to perform. Depending on the function executed, the attack can can have limited impact on confidentiality and integrity of non-critical user or application data and application availability.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T12:23:30.151Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/3309056"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-27897",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-07T16:54:44.490490Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-07T16:54:50.000Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CRM",
"vendor": "SAP",
"versions": [
{
"status": "affected",
"version": "700"
},
{
"status": "affected",
"version": "701"
},
{
"status": "affected",
"version": "702"
},
{
"status": "affected",
"version": "712"
},
{
"status": "affected",
"version": "713"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn SAP CRM - versions 700, 701, 702, 712, 713, an attacker who is authenticated with a non-administrative role and a common remote execution authorization can use a vulnerable interface to execute an application function to perform actions which they would not normally be permitted to perform. Depending on the function executed, the attack can can have limited impact on confidentiality and integrity of non-critical user or application data and application availability.\u003c/p\u003e"
}
],
"value": "In SAP CRM - versions 700, 701, 702, 712, 713, an attacker who is authenticated with a non-administrative role and a common remote execution authorization can use a vulnerable interface to execute an application function to perform actions which they would not normally be permitted to perform. Depending on the function executed, the attack can can have limited impact on confidentiality and integrity of non-critical user or application data and application availability.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-11T20:19:16.988Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://launchpad.support.sap.com/#/notes/3309056"
},
{
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Code Injection vulnerability in SAP CRM",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2023-27897",
"datePublished": "2023-04-11T02:50:00.642Z",
"dateReserved": "2023-03-07T07:53:14.887Z",
"dateUpdated": "2025-02-07T16:54:50.000Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-2380
Vulnerability from cvelistv5
Published
2018-03-01 17:00
Modified
2025-01-29 20:22
Severity ?
EPSS score ?
Summary
SAP CRM, 7.01, 7.02,7.30, 7.31, 7.33, 7.54, allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing "traverse to parent directory" are passed through to the file APIs.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/erpscanteam/CVE-2018-2380 | x_refsource_MISC | |
| https://www.exploit-db.com/exploits/44292/ | exploit, x_refsource_EXPLOIT-DB | |
| https://launchpad.support.sap.com/#/notes/2547431 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/103001 | vdb-entry, x_refsource_BID | |
| https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018/ | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T04:14:39.708Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/erpscanteam/CVE-2018-2380"
},
{
"name": "44292",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/44292/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/2547431"
},
{
"name": "103001",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/103001"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2018-2380",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-29T20:12:55.158230Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2021-11-03",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2018-2380"
},
"type": "kev"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-29T20:22:30.425Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "SAP CRM",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "7.01"
},
{
"status": "affected",
"version": "7.02"
},
{
"status": "affected",
"version": "7.30"
},
{
"status": "affected",
"version": "7.31"
},
{
"status": "affected",
"version": "7.33"
},
{
"status": "affected",
"version": "7.54"
}
]
}
],
"datePublic": "2018-02-13T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "SAP CRM, 7.01, 7.02,7.30, 7.31, 7.33, 7.54, allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing \"traverse to parent directory\" are passed through to the file APIs."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Directory/Path Traversal",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-03-17T09:57:01.000Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/erpscanteam/CVE-2018-2380"
},
{
"name": "44292",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/44292/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://launchpad.support.sap.com/#/notes/2547431"
},
{
"name": "103001",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/103001"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2018-2380",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP CRM",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "7.01"
},
{
"version_affected": "=",
"version_value": "7.02"
},
{
"version_affected": "=",
"version_value": "7.30"
},
{
"version_affected": "=",
"version_value": "7.31"
},
{
"version_affected": "=",
"version_value": "7.33"
},
{
"version_affected": "=",
"version_value": "7.54"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SAP CRM, 7.01, 7.02,7.30, 7.31, 7.33, 7.54, allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing \"traverse to parent directory\" are passed through to the file APIs."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Directory/Path Traversal"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/erpscanteam/CVE-2018-2380",
"refsource": "MISC",
"url": "https://github.com/erpscanteam/CVE-2018-2380"
},
{
"name": "44292",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/44292/"
},
{
"name": "https://launchpad.support.sap.com/#/notes/2547431",
"refsource": "CONFIRM",
"url": "https://launchpad.support.sap.com/#/notes/2547431"
},
{
"name": "103001",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/103001"
},
{
"name": "https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018/",
"refsource": "CONFIRM",
"url": "https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2018-2380",
"datePublished": "2018-03-01T17:00:00.000Z",
"dateReserved": "2017-12-15T00:00:00.000Z",
"dateUpdated": "2025-01-29T20:22:30.425Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2013-7095
Vulnerability from cvelistv5
Published
2013-12-13 19:00
Modified
2024-08-06 17:53
Severity ?
EPSS score ?
Summary
The XML parser (crm_flex_data) in SAP Customer Relationship Management (CRM) 7.02 EHP 2 has unknown impact and attack vectors related to an XML External Entity (XXE) issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://exchange.xforce.ibmcloud.com/vulnerabilities/89703 | vdb-entry, x_refsource_XF | |
| http://www.securitytracker.com/id/1029488 | vdb-entry, x_refsource_SECTRACK | |
| http://scn.sap.com/docs/DOC-8218 | x_refsource_CONFIRM | |
| http://secunia.com/advisories/56064 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.securityfocus.com/bid/64265 | vdb-entry, x_refsource_BID | |
| https://service.sap.com/sap/support/notes/1909665 | x_refsource_CONFIRM | |
| https://erpscan.io/advisories/erpscan-13-025-sap-crm-crm_flex_data-xxe/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T17:53:46.137Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "sap-crm-xml-info-disc(89703)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/89703"
},
{
"name": "1029488",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1029488"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://scn.sap.com/docs/DOC-8218"
},
{
"name": "56064",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/56064"
},
{
"name": "64265",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/64265"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://service.sap.com/sap/support/notes/1909665"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://erpscan.io/advisories/erpscan-13-025-sap-crm-crm_flex_data-xxe/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-11-29T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The XML parser (crm_flex_data) in SAP Customer Relationship Management (CRM) 7.02 EHP 2 has unknown impact and attack vectors related to an XML External Entity (XXE) issue."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-12-10T17:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "sap-crm-xml-info-disc(89703)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/89703"
},
{
"name": "1029488",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1029488"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://scn.sap.com/docs/DOC-8218"
},
{
"name": "56064",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/56064"
},
{
"name": "64265",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/64265"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://service.sap.com/sap/support/notes/1909665"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://erpscan.io/advisories/erpscan-13-025-sap-crm-crm_flex_data-xxe/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-7095",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The XML parser (crm_flex_data) in SAP Customer Relationship Management (CRM) 7.02 EHP 2 has unknown impact and attack vectors related to an XML External Entity (XXE) issue."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "sap-crm-xml-info-disc(89703)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/89703"
},
{
"name": "1029488",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1029488"
},
{
"name": "http://scn.sap.com/docs/DOC-8218",
"refsource": "CONFIRM",
"url": "http://scn.sap.com/docs/DOC-8218"
},
{
"name": "56064",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/56064"
},
{
"name": "64265",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/64265"
},
{
"name": "https://service.sap.com/sap/support/notes/1909665",
"refsource": "CONFIRM",
"url": "https://service.sap.com/sap/support/notes/1909665"
},
{
"name": "https://erpscan.io/advisories/erpscan-13-025-sap-crm-crm_flex_data-xxe/",
"refsource": "MISC",
"url": "https://erpscan.io/advisories/erpscan-13-025-sap-crm-crm_flex_data-xxe/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-7095",
"datePublished": "2013-12-13T19:00:00",
"dateReserved": "2013-12-13T00:00:00",
"dateUpdated": "2024-08-06T17:53:46.137Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2014-8669
Vulnerability from cvelistv5
Published
2014-11-06 15:00
Modified
2024-09-17 02:57
Severity ?
EPSS score ?
Summary
The SAP Promotion Guidelines (CRM-MKT-MPL-TPM-PPG) module for SAP CRM allows remote attackers to execute arbitrary code via unspecified vectors.
References
| ▼ | URL | Tags |
|---|---|---|
| http://service.sap.com/sap/support/notes/0001872638 | x_refsource_MISC | |
| http://blog.onapsis.com/analyzing-sap-security-notes-october-2014-edition/ | x_refsource_MISC | |
| http://service.sap.com/sap/support/notes/0001835691 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T13:26:02.017Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://service.sap.com/sap/support/notes/0001872638"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://blog.onapsis.com/analyzing-sap-security-notes-october-2014-edition/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://service.sap.com/sap/support/notes/0001835691"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The SAP Promotion Guidelines (CRM-MKT-MPL-TPM-PPG) module for SAP CRM allows remote attackers to execute arbitrary code via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-11-06T15:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://service.sap.com/sap/support/notes/0001872638"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://blog.onapsis.com/analyzing-sap-security-notes-october-2014-edition/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://service.sap.com/sap/support/notes/0001835691"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-8669",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The SAP Promotion Guidelines (CRM-MKT-MPL-TPM-PPG) module for SAP CRM allows remote attackers to execute arbitrary code via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://service.sap.com/sap/support/notes/0001872638",
"refsource": "MISC",
"url": "http://service.sap.com/sap/support/notes/0001872638"
},
{
"name": "http://blog.onapsis.com/analyzing-sap-security-notes-october-2014-edition/",
"refsource": "MISC",
"url": "http://blog.onapsis.com/analyzing-sap-security-notes-october-2014-edition/"
},
{
"name": "http://service.sap.com/sap/support/notes/0001835691",
"refsource": "MISC",
"url": "http://service.sap.com/sap/support/notes/0001835691"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-8669",
"datePublished": "2014-11-06T15:00:00Z",
"dateReserved": "2014-11-06T00:00:00Z",
"dateUpdated": "2024-09-17T02:57:32.799Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2015-3980
Vulnerability from cvelistv5
Published
2015-05-12 20:00
Modified
2024-08-06 06:04
Severity ?
EPSS score ?
Summary
SQL injection vulnerability in the Business Rules Framework (CRM-BF-BRF) in SAP CRM allows attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2097534.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.onapsis.com/blog/analyzing-sap-security-notes-april-2015-edition/ | x_refsource_MISC | |
| http://www.securityfocus.com/bid/74624 | vdb-entry, x_refsource_BID | |
| http://www.securitytracker.com/id/1032309 | vdb-entry, x_refsource_SECTRACK |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T06:04:02.533Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.onapsis.com/blog/analyzing-sap-security-notes-april-2015-edition/"
},
{
"name": "74624",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/74624"
},
{
"name": "1032309",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1032309"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-04-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in the Business Rules Framework (CRM-BF-BRF) in SAP CRM allows attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2097534."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-12-30T15:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.onapsis.com/blog/analyzing-sap-security-notes-april-2015-edition/"
},
{
"name": "74624",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/74624"
},
{
"name": "1032309",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1032309"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-3980",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in the Business Rules Framework (CRM-BF-BRF) in SAP CRM allows attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2097534."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.onapsis.com/blog/analyzing-sap-security-notes-april-2015-edition/",
"refsource": "MISC",
"url": "http://www.onapsis.com/blog/analyzing-sap-security-notes-april-2015-edition/"
},
{
"name": "74624",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/74624"
},
{
"name": "1032309",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1032309"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-3980",
"datePublished": "2015-05-12T20:00:00",
"dateReserved": "2015-05-12T00:00:00",
"dateUpdated": "2024-08-06T06:04:02.533Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-33676
Vulnerability from cvelistv5
Published
2021-07-14 11:03
Modified
2024-08-03 23:58
Severity ?
EPSS score ?
Summary
A missing authority check in SAP CRM, versions - 700, 701, 702, 712, 713, 714, could be leveraged by an attacker with high privileges to compromise confidentiality, integrity, or availability of the system.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506 | x_refsource_MISC | |
| https://launchpad.support.sap.com/#/notes/3066316 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:58:22.363Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/3066316"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP CRM",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 700"
},
{
"status": "affected",
"version": "\u003c 701"
},
{
"status": "affected",
"version": "\u003c 702"
},
{
"status": "affected",
"version": "\u003c 712"
},
{
"status": "affected",
"version": "\u003c 713"
},
{
"status": "affected",
"version": "\u003c 714"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A missing authority check in SAP CRM, versions - 700, 701, 702, 712, 713, 714, could be leveraged by an attacker with high privileges to compromise confidentiality, integrity, or availability of the system."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Missing Authority Check",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-14T11:03:48",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.support.sap.com/#/notes/3066316"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2021-33676",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP CRM",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "700"
},
{
"version_name": "\u003c",
"version_value": "701"
},
{
"version_name": "\u003c",
"version_value": "702"
},
{
"version_name": "\u003c",
"version_value": "712"
},
{
"version_name": "\u003c",
"version_value": "713"
},
{
"version_name": "\u003c",
"version_value": "714"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A missing authority check in SAP CRM, versions - 700, 701, 702, 712, 713, 714, could be leveraged by an attacker with high privileges to compromise confidentiality, integrity, or availability of the system."
}
]
},
"impact": {
"cvss": {
"baseScore": "6.8",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Missing Authority Check"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506",
"refsource": "MISC",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506"
},
{
"name": "https://launchpad.support.sap.com/#/notes/3066316",
"refsource": "MISC",
"url": "https://launchpad.support.sap.com/#/notes/3066316"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2021-33676",
"datePublished": "2021-07-14T11:03:48",
"dateReserved": "2021-05-28T00:00:00",
"dateUpdated": "2024-08-03T23:58:22.363Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2015-3979
Vulnerability from cvelistv5
Published
2015-05-12 20:00
Modified
2024-08-06 06:04
Severity ?
EPSS score ?
Summary
Unspecified vulnerability in the Business Rules Framework (CRM-BF-BRF) in SAP CRM allows attackers to execute arbitrary code via unknown vectors, aka SAP Security Note 2097534.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.onapsis.com/blog/analyzing-sap-security-notes-april-2015-edition/ | x_refsource_MISC | |
| http://www.securityfocus.com/bid/74626 | vdb-entry, x_refsource_BID | |
| http://www.securitytracker.com/id/1032309 | vdb-entry, x_refsource_SECTRACK |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T06:04:02.917Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.onapsis.com/blog/analyzing-sap-security-notes-april-2015-edition/"
},
{
"name": "74626",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/74626"
},
{
"name": "1032309",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1032309"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-04-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Unspecified vulnerability in the Business Rules Framework (CRM-BF-BRF) in SAP CRM allows attackers to execute arbitrary code via unknown vectors, aka SAP Security Note 2097534."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-12-30T15:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.onapsis.com/blog/analyzing-sap-security-notes-april-2015-edition/"
},
{
"name": "74626",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/74626"
},
{
"name": "1032309",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1032309"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-3979",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unspecified vulnerability in the Business Rules Framework (CRM-BF-BRF) in SAP CRM allows attackers to execute arbitrary code via unknown vectors, aka SAP Security Note 2097534."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.onapsis.com/blog/analyzing-sap-security-notes-april-2015-edition/",
"refsource": "MISC",
"url": "http://www.onapsis.com/blog/analyzing-sap-security-notes-april-2015-edition/"
},
{
"name": "74626",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/74626"
},
{
"name": "1032309",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1032309"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-3979",
"datePublished": "2015-05-12T20:00:00",
"dateReserved": "2015-05-12T00:00:00",
"dateUpdated": "2024-08-06T06:04:02.917Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2014-1962
Vulnerability from cvelistv5
Published
2014-02-14 15:00
Modified
2024-08-06 09:58
Severity ?
EPSS score ?
Summary
Gwsync in SAP CRM 7.02 EHP 2 allows remote attackers to obtain sensitive information via unspecified vectors, related to an XML External Entity (XXE) issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://erpscan.io/advisories/erpscan-14-003-sap-crm-gwsync-xxe/ | x_refsource_MISC | |
| https://service.sap.com/sap/support/notes/1917054 | x_refsource_CONFIRM | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/91098 | vdb-entry, x_refsource_XF | |
| http://secunia.com/advisories/56944 | third-party-advisory, x_refsource_SECUNIA | |
| http://scn.sap.com/docs/DOC-8218 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T09:58:15.591Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://erpscan.io/advisories/erpscan-14-003-sap-crm-gwsync-xxe/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://service.sap.com/sap/support/notes/1917054"
},
{
"name": "sap-crm-info-disc(91098)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/91098"
},
{
"name": "56944",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/56944"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://scn.sap.com/docs/DOC-8218"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-01-31T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Gwsync in SAP CRM 7.02 EHP 2 allows remote attackers to obtain sensitive information via unspecified vectors, related to an XML External Entity (XXE) issue."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-12-10T17:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://erpscan.io/advisories/erpscan-14-003-sap-crm-gwsync-xxe/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://service.sap.com/sap/support/notes/1917054"
},
{
"name": "sap-crm-info-disc(91098)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/91098"
},
{
"name": "56944",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/56944"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://scn.sap.com/docs/DOC-8218"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-1962",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Gwsync in SAP CRM 7.02 EHP 2 allows remote attackers to obtain sensitive information via unspecified vectors, related to an XML External Entity (XXE) issue."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://erpscan.io/advisories/erpscan-14-003-sap-crm-gwsync-xxe/",
"refsource": "MISC",
"url": "https://erpscan.io/advisories/erpscan-14-003-sap-crm-gwsync-xxe/"
},
{
"name": "https://service.sap.com/sap/support/notes/1917054",
"refsource": "CONFIRM",
"url": "https://service.sap.com/sap/support/notes/1917054"
},
{
"name": "sap-crm-info-disc(91098)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/91098"
},
{
"name": "56944",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/56944"
},
{
"name": "http://scn.sap.com/docs/DOC-8218",
"refsource": "CONFIRM",
"url": "http://scn.sap.com/docs/DOC-8218"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-1962",
"datePublished": "2014-02-14T15:00:00",
"dateReserved": "2014-02-14T00:00:00",
"dateUpdated": "2024-08-06T09:58:15.591Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-15294
Vulnerability from cvelistv5
Published
2017-10-16 16:00
Modified
2024-08-05 19:50
Severity ?
EPSS score ?
Summary
The Java administration console in SAP CRM has XSS. This is SAP Security Note 2478964.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/99532 | vdb-entry, x_refsource_BID | |
| https://erpscan.io/advisories/erpscan-17-035-xss-crm-administration-console-java/ | x_refsource_MISC | |
| https://blogs.sap.com/2017/07/11/sap-security-patch-day-july-2017/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T19:50:16.443Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "99532",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/99532"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://erpscan.io/advisories/erpscan-17-035-xss-crm-administration-console-java/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blogs.sap.com/2017/07/11/sap-security-patch-day-july-2017/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-07-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The Java administration console in SAP CRM has XSS. This is SAP Security Note 2478964."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-12-10T17:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "99532",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/99532"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://erpscan.io/advisories/erpscan-17-035-xss-crm-administration-console-java/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blogs.sap.com/2017/07/11/sap-security-patch-day-july-2017/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-15294",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Java administration console in SAP CRM has XSS. This is SAP Security Note 2478964."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "99532",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/99532"
},
{
"name": "https://erpscan.io/advisories/erpscan-17-035-xss-crm-administration-console-java/",
"refsource": "MISC",
"url": "https://erpscan.io/advisories/erpscan-17-035-xss-crm-administration-console-java/"
},
{
"name": "https://blogs.sap.com/2017/07/11/sap-security-patch-day-july-2017/",
"refsource": "MISC",
"url": "https://blogs.sap.com/2017/07/11/sap-security-patch-day-july-2017/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-15294",
"datePublished": "2017-10-16T16:00:00",
"dateReserved": "2017-10-12T00:00:00",
"dateUpdated": "2024-08-05T19:50:16.443Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-15296
Vulnerability from cvelistv5
Published
2017-10-16 16:00
Modified
2024-08-05 19:50
Severity ?
EPSS score ?
Summary
The Java component in SAP CRM has CSRF. This is SAP Security Note 2478964.
References
| ▼ | URL | Tags |
|---|---|---|
| https://erpscan.io/advisories/erpscan-17-036-csrf-sap-java-crm/ | x_refsource_MISC | |
| https://blogs.sap.com/2017/07/11/sap-security-patch-day-july-2017/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T19:50:16.431Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://erpscan.io/advisories/erpscan-17-036-csrf-sap-java-crm/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blogs.sap.com/2017/07/11/sap-security-patch-day-july-2017/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-07-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The Java component in SAP CRM has CSRF. This is SAP Security Note 2478964."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-12-10T17:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://erpscan.io/advisories/erpscan-17-036-csrf-sap-java-crm/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blogs.sap.com/2017/07/11/sap-security-patch-day-july-2017/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-15296",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Java component in SAP CRM has CSRF. This is SAP Security Note 2478964."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://erpscan.io/advisories/erpscan-17-036-csrf-sap-java-crm/",
"refsource": "MISC",
"url": "https://erpscan.io/advisories/erpscan-17-036-csrf-sap-java-crm/"
},
{
"name": "https://blogs.sap.com/2017/07/11/sap-security-patch-day-july-2017/",
"refsource": "MISC",
"url": "https://blogs.sap.com/2017/07/11/sap-security-patch-day-july-2017/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-15296",
"datePublished": "2017-10-16T16:00:00",
"dateReserved": "2017-10-12T00:00:00",
"dateUpdated": "2024-08-05T19:50:16.431Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}