βΌ CVE-2022-41263 βΌ
π Read
via "National Vulnerability Database".
Due to a missing authentication check, SAP Business Objects Business Intelligence Platform (Web Intelligence) - versions 420, 430, allows an authenticated non-administrator attacker to modify the data source information for a document that is otherwise restricted. On successful exploitation, the attacker can modify information causing a limited impact on the integrity of the application.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0925 βΌ
π Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.π Read
via "National Vulnerability Database".
βΌ CVE-2022-46903 βΌ
π Read
via "National Vulnerability Database".
Insufficient processing of user input in WebSoft HCM 2021.2.3.327 allows an authenticated attacker to inject arbitrary HTML tags into the page processed by the user's browser, including scripts in the JavaScript programming language, which leads to Stored XSS.π Read
via "National Vulnerability Database".
βΌ CVE-2022-41262 βΌ
π Read
via "National Vulnerability Database".
Due to insufficient input validation, SAP NetWeaver AS Java (HTTP Provider Service) - version 7.50, allows an unauthenticated attacker to inject a script into a web request header. On successful exploitation, an attacker can view or modify information causing a limited impact on the confidentiality and integrity of the application.π Read
via "National Vulnerability Database".
βΌ CVE-2022-41261 βΌ
π Read
via "National Vulnerability Database".
SAP Solution Manager (Diagnostic Agent) - version 7.20, allows an authenticated attacker on Windows system to access a file containing sensitive data which can be used to access a configuration file which contains credentials to access other system files. Successful exploitation can make the attacker access files and systems for which he/she is not authorized.π Read
via "National Vulnerability Database".
βΌ CVE-2022-46905 βΌ
π Read
via "National Vulnerability Database".
Insufficient processing of user input in WebSoft HCM 2021.2.3.327 allows an unauthenticated attacker to inject arbitrary HTML tags into the page processed by the user's browser, including scripts in the JavaScript programming language, which leads to Reflected XSS.π Read
via "National Vulnerability Database".
βΌ CVE-2022-46906 βΌ
π Read
via "National Vulnerability Database".
Insufficient processing of user input in WebSoft HCM 2021.2.3.327 allows an authenticated attacker to inject arbitrary HTML tags into the page processed by the user's browser, including scripts in the JavaScript programming language, which leads to Reflected XSS.π Read
via "National Vulnerability Database".
π΄ Metaparasites & the Dark Web: Scammers Turn on Their Own π΄
π Read
via "Dark Reading".
Sophos research unveiled at Black Hat Europe details a thriving subeconomy of fraud on the cybercrime underground, aimed at Dark Web forum users.π Read
via "Dark Reading".
Darkreading
Metaparasites & the Dark Web: Scammers Turn on Their Own
Sophos research unveiled at Black Hat Europe details a thriving subeconomy of fraud on the cybercrime underground, aimed at Dark Web forum users.
π΄ Rash of New Ransomware Variants Springs Up in the Wild π΄
π Read
via "Dark Reading".
Vohuk, ScareCrow, and AESRT add to the ransomware chaos that organizations have to contend with on a daily basis.π Read
via "Dark Reading".
Dark Reading
Rash of New Ransomware Variants Springs Up in the Wild
Vohuk, ScareCrow, and AESRT add to the ransomware chaos that organizations have to contend with on a daily basis.
βΌ CVE-2021-41943 βΌ
π Read
via "National Vulnerability Database".
Logrhythm Web Console 7.4.9 allows for HTML tag injection through Contextualize Action -> Create a new Contextualize Action -> Inject your HTML tag in the name field.π Read
via "National Vulnerability Database".
βΌ CVE-2022-3931 βΌ
π Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.π Read
via "National Vulnerability Database".
βΌ CVE-2022-45269 βΌ
π Read
via "National Vulnerability Database".
A directory traversal vulnerability in the component SCS.Web.Server.SPI/1.0 of Linx Sphere LINX 7.35.ST15 allows attackers to read arbitrary files.π Read
via "National Vulnerability Database".
βΌ CVE-2022-41264 βΌ
π Read
via "National Vulnerability Database".
Due to the unrestricted scope of the RFC function module, SAP BASIS - versions 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790, 791, allows an authenticated non-administrator attacker to access a system class and execute any of its public methods with parameters provided by the attacker. On successful exploitation the attacker can have full control of the system to which the class belongs, causing a high impact on the integrity of the application.π Read
via "National Vulnerability Database".
βΌ CVE-2022-41267 βΌ
π Read
via "National Vulnerability Database".
SAP Business Objects Platform - versions 420, and 430, allows an attacker with normal BI user privileges to upload/replace any file on Business Objects server at the operating system level, enabling the attacker to take full control of the system causing a high impact on confidentiality, integrity, and availability of the application.π Read
via "National Vulnerability Database".
βΌ CVE-2022-41273 βΌ
π Read
via "National Vulnerability Database".
Due to improper input sanitization in SAP Sourcing and SAP Contract Lifecycle Management - version 1100, an attacker can redirect a user to a malicious website. In order to perform this attack, the attacker sends an email to the victim with a manipulated link that appears to be a legitimate SAP Sourcing URL, since the victim doesnΓ’β¬β’t suspect the threat, they click on the link, log in to SAP Sourcing and CLM and at this point, they get redirected to a malicious website.π Read
via "National Vulnerability Database".
βΌ CVE-2022-41275 βΌ
π Read
via "National Vulnerability Database".
In SAP Solution Manager (Enterprise Search) - versions 740, and 750, an unauthenticated attacker can generate a link that, if clicked by a logged-in user, can be redirected to a malicious page that could read or modify sensitive information, or expose the user to a phishing attack, with little impact on confidentiality and integrity.π Read
via "National Vulnerability Database".
βΌ CVE-2022-41272 βΌ
π Read
via "National Vulnerability Database".
An unauthenticated attacker over the network can attach to an open interface exposed through JNDI by the User Defined Search (UDS) of SAP NetWeaver Process Integration (PI) - version 7.50 and make use of an open naming and directory API to access services which can be used to perform unauthorized operations affecting users and data across the entire system. This allows the attacker to have full read access to user data, make limited modifications to user data, and degrade the performance of the system, leading to a high impact on confidentiality and a limited impact on the availability and integrity of the application.π Read
via "National Vulnerability Database".
βΌ CVE-2022-41274 βΌ
π Read
via "National Vulnerability Database".
SAP Disclosure Management - version 10.1, allows an authenticated attacker to exploit certain misconfigured application endpoints to read sensitive data. These endpoints are normally exposed over the network and successful exploitation can lead to the exposure of data like financial reports.π Read
via "National Vulnerability Database".
βΌ CVE-2022-41271 βΌ
π Read
via "National Vulnerability Database".
An unauthenticated user can attach to an open interface exposed through JNDI by the Messaging System of SAP NetWeaver Process Integration (PI) - version 7.50. This user can make use of an open naming and directory API to access services that could perform unauthorized operations. The vulnerability affects local users and data, leading to a considerable impact on confidentiality as well as availability and a limited impact on the integrity of the application. These operations can be used to: * Read any information * Modify sensitive information * Denial of Service attacks (DoS) * SQL Injectionπ Read
via "National Vulnerability Database".
βΌ CVE-2022-41268 βΌ
π Read
via "National Vulnerability Database".
In some SAP standard roles in SAP Business Planning and Consolidation - versions - SAP_BW 750, 751, 752, 753, 754, 755, 756, 757, DWCORE 200, 300, CPMBPC 810, a transaction code reserved for the customer is used. By implementing such transaction code, a malicious user may execute unauthorized transaction functionality. Under specific circumstances, a successful attack could enable an adversary to escalate their privileges to be able to read, change or delete system data.π Read
via "National Vulnerability Database".
βΌ CVE-2022-41266 βΌ
π Read
via "National Vulnerability Database".
Due to a lack of proper input validation, SAP Commerce Webservices 2.0 (Swagger UI) - versions 1905, 2005, 2105, 2011, 2205, allows malicious inputs from untrusted sources, which can be leveraged by an attacker to execute a DOM Cross-Site Scripting (XSS) attack. As a result, an attacker may be able to steal user tokens and achieve a full account takeover including access to administrative tools in SAP Commerce.π Read
via "National Vulnerability Database".