CVE-2023-22903

api/views/user.py in LibrePhotos before e19e539 has incorrect access control.

Source: CVE-2023-22903

CVE-2023-0023

In SAP Bank Account Management (Manage Banks) application, when a user clicks a smart link to navigate to another app, personal data is shown directly in the URL. They might get captured in log files, bookmarks, and so on disclosing sensitive data of the application.

Source: CVE-2023-0023

CVE-2023-22320

OpenAM Web Policy Agent (OpenAM Consortium Edition) provided by OpenAM Consortium parses URLs improperly, leading to a path traversal vulnerability(CWE-22). Furthermore, a crafted URL may be evaluated incorrectly.

Source: CVE-2023-22320

CVE-2023-0022

SAP BusinessObjects Business Intelligence Analysis edition for OLAP allows an authenticated attacker to inject malicious code that can be executed by the application over the network. On successful exploitation, an attacker can perform operations that may completely compromise the application causing a high impact on the confidentiality, integrity, and availability of the application.

Source: CVE-2023-0022

CVE-2023-0018

Due to improper input sanitization of user-controlled input in SAP BusinessObjects Business Intelligence Platform CMC application – versions 420, and 430, an attacker with basic user-level privileges can modify/upload crystal reports containing a malicious payload. Once these reports are viewable, anyone who opens those reports would be susceptible to stored XSS attacks. As a result of the attack, information maintained in the victim’s web browser can be read, modified, and sent to the attacker.

Source: CVE-2023-0018

CVE-2023-0017

An unauthenticated attacker in SAP NetWeaver AS for Java – version 7.50, due to improper access control, can attach to an open interface and make use of an open naming and directory API to access services which can be used to perform unauthorized operations affecting users and data on the current system. This could allow the attacker to have full read access to user data, make modifications to user data, and make services within the system unavailable.

Source: CVE-2023-0017

CVE-2023-0016

SAP BPC MS 10.0 – version 810, allows an unauthorized attacker to execute crafted database queries. The exploitation of this issue could lead to SQL injection vulnerability and could allow an attacker to access, modify, and/or delete data from the backend database.

Source: CVE-2023-0016

CVE-2023-0015

In SAP BusinessObjects Business Intelligence Platform (Web Intelligence user interface) – version 420, some calls return json with wrong content type in the header of the response. As a result, a custom application that calls directly the jsp of Web Intelligence DHTML may be vulnerable to XSS attacks. On successful exploitation an attacker can cause limited impact on confidentiality and integrity of the application.

Source: CVE-2023-0015

CVE-2023-0014

SAP NetWeaver ABAP Server and ABAP Platform – versions SAP_BASIS 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, KERNEL 7.22, 7.53, 7.77, 7.81, 7.85, 7.89, KRNL64UC 7.22, 7.22EXT, 7.53, KRNL64NUC 7.22, 7.22EXT, creates information about system identity in an ambiguous format. This could lead to capture-replay vulnerability and may be exploited by malicious users to obtain illegitimate access to the system.

Source: CVE-2023-0014

CVE-2023-0013

The ABAP Keyword Documentation of SAP NetWeaver Application Server – versions 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, for ABAP and ABAP Platform does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. On successful exploitation an attacker can cause limited impact on confidentiality and integrity of the application.

Source: CVE-2023-0013