From 70f49d09eddf19af10a1e61ea15851110538f010 Mon Sep 17 00:00:00 2001 From: CVE Team Date: Tue, 11 Mar 2025 01:00:32 +0000 Subject: [PATCH] "-Synchronized-Data." --- 2024/22xxx/CVE-2024-22340.json | 91 ++++++++++++++++- 2024/41xxx/CVE-2024-41760.json | 91 ++++++++++++++++- 2024/49xxx/CVE-2024-49823.json | 91 ++++++++++++++++- 2025/0xxx/CVE-2025-0062.json | 91 ++++++++++++++++- 2025/0xxx/CVE-2025-0071.json | 111 +++++++++++++++++++- 2025/23xxx/CVE-2025-23185.json | 91 ++++++++++++++++- 2025/23xxx/CVE-2025-23188.json | 115 ++++++++++++++++++++- 2025/23xxx/CVE-2025-23194.json | 83 ++++++++++++++- 2025/25xxx/CVE-2025-25242.json | 123 +++++++++++++++++++++- 2025/25xxx/CVE-2025-25244.json | 147 ++++++++++++++++++++++++++- 2025/25xxx/CVE-2025-25245.json | 87 +++++++++++++++- 2025/26xxx/CVE-2025-26655.json | 107 +++++++++++++++++++- 2025/26xxx/CVE-2025-26656.json | 95 ++++++++++++++++- 2025/26xxx/CVE-2025-26658.json | 87 +++++++++++++++- 2025/26xxx/CVE-2025-26659.json | 107 +++++++++++++++++++- 2025/26xxx/CVE-2025-26660.json | 103 ++++++++++++++++++- 2025/26xxx/CVE-2025-26661.json | 139 ++++++++++++++++++++++++- 2025/27xxx/CVE-2025-27430.json | 179 ++++++++++++++++++++++++++++++++- 2025/27xxx/CVE-2025-27431.json | 83 ++++++++++++++- 2025/27xxx/CVE-2025-27432.json | 115 ++++++++++++++++++++- 2025/27xxx/CVE-2025-27433.json | 87 +++++++++++++++- 2025/27xxx/CVE-2025-27434.json | 83 ++++++++++++++- 2025/27xxx/CVE-2025-27436.json | 87 +++++++++++++++- 23 files changed, 2301 insertions(+), 92 deletions(-) diff --git a/2024/22xxx/CVE-2024-22340.json b/2024/22xxx/CVE-2024-22340.json index 82653b9d378..8adb0bd200e 100644 --- a/2024/22xxx/CVE-2024-22340.json +++ b/2024/22xxx/CVE-2024-22340.json @@ -1,17 +1,100 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-22340", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "psirt@us.ibm.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "IBM Common Cryptographic Architecture 7.0.0 through 7.5.51 \n\n\n\ncould allow a remote attacker to obtain sensitive information during the creation of ECDSA signatures to perform a timing-based attack." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-208 Observable Timing Discrepancy", + "cweId": "CWE-208" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "IBM", + "product": { + "product_data": [ + { + "product_name": "Common Cryptographic Architecture", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "7.0.0", + "version_value": "7.5.51" + } + ] + } + }, + { + "product_name": "4769 Developers Toolkit", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "7.0.0", + "version_value": "7.5.51" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.ibm.com/support/pages/node/7185282", + "refsource": "MISC", + "name": "https://www.ibm.com/support/pages/node/7185282" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.2.0" + }, + "source": { + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 6.5, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "version": "3.1" } ] } diff --git a/2024/41xxx/CVE-2024-41760.json b/2024/41xxx/CVE-2024-41760.json index ef68931028f..e42e499f0bd 100644 --- a/2024/41xxx/CVE-2024-41760.json +++ b/2024/41xxx/CVE-2024-41760.json @@ -1,17 +1,100 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-41760", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "psirt@us.ibm.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "IBM Common Cryptographic Architecture 7.0.0 through 7.5.51 \n\ncould allow an attacker to obtain sensitive information due to a timing attack during certain RSA operations." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-203 Observable Discrepancy", + "cweId": "CWE-203" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "IBM", + "product": { + "product_data": [ + { + "product_name": "Common Cryptographic Architecture", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "7.0.0", + "version_value": "7.5.51" + } + ] + } + }, + { + "product_name": "4769 Developers Toolkit", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "7.0.0", + "version_value": "7.5.51" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.ibm.com/support/pages/node/7185282", + "refsource": "MISC", + "name": "https://www.ibm.com/support/pages/node/7185282" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.2.0" + }, + "source": { + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 3.7, + "baseSeverity": "LOW", + "confidentialityImpact": "LOW", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", + "version": "3.1" } ] } diff --git a/2024/49xxx/CVE-2024-49823.json b/2024/49xxx/CVE-2024-49823.json index 799a7f0bbee..bc8ffc904c0 100644 --- a/2024/49xxx/CVE-2024-49823.json +++ b/2024/49xxx/CVE-2024-49823.json @@ -1,17 +1,100 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-49823", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "psirt@us.ibm.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "IBM Common Cryptographic Architecture 7.0.0 through 7.5.51 could allow an authenticated user to cause a denial of service in the Hardware Security Module (HSM) using a specially crafted sequence of valid requests." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-787 Out-of-bounds Write", + "cweId": "CWE-787" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "IBM", + "product": { + "product_data": [ + { + "product_name": "Common Cryptographic Architecture", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "7.0.0", + "version_value": "7.5.51" + } + ] + } + }, + { + "product_name": "4769 Developers Toolkit", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "7.0.0", + "version_value": "7.5.51" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.ibm.com/support/pages/node/7185282", + "refsource": "MISC", + "name": "https://www.ibm.com/support/pages/node/7185282" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.2.0" + }, + "source": { + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 6.5, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "version": "3.1" } ] } diff --git a/2025/0xxx/CVE-2025-0062.json b/2025/0xxx/CVE-2025-0062.json index 0f706aa2f97..cdabc26c49b 100644 --- a/2025/0xxx/CVE-2025-0062.json +++ b/2025/0xxx/CVE-2025-0062.json @@ -1,17 +1,100 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2025-0062", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cna@sap.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "SAP BusinessObjects Business Intelligence Platform allows an attacker to inject JavaScript code in Web Intelligence reports. This code is then executed in the victim's browser each time the vulnerable page is visited by the victim. On successful exploitation, an attacker could cause limited impact on confidentiality and integrity within the scope of victim\ufffds browser. There is no impact on availability. This vulnerability occurs only when script/html execution is enabled by the administrator in Central Management Console." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "cweId": "CWE-79" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "SAP_SE", + "product": { + "product_data": [ + { + "product_name": "SAP BusinessObjects Business Intelligence Platform", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "ENTERPRISE 430" + }, + { + "version_affected": "=", + "version_value": "2025" + }, + { + "version_affected": "=", + "version_value": "ENTERPRISECLIENTTOOLS 430" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://me.sap.com/notes/3557459", + "refsource": "MISC", + "name": "https://me.sap.com/notes/3557459" + }, + { + "url": "https://url.sap/sapsecuritypatchday", + "refsource": "MISC", + "name": "https://url.sap/sapsecuritypatchday" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.2.0" + }, + "source": { + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 4.7, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N", + "version": "3.1" } ] } diff --git a/2025/0xxx/CVE-2025-0071.json b/2025/0xxx/CVE-2025-0071.json index 2a8798ebf12..e26029d05d8 100644 --- a/2025/0xxx/CVE-2025-0071.json +++ b/2025/0xxx/CVE-2025-0071.json @@ -1,17 +1,120 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2025-0071", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cna@sap.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "SAP Web Dispatcher and Internet Communication Manager allow an attacker with administrative privileges to enable debugging trace mode with a specific parameter value. This exposes unencrypted passwords in the logs, causing a high impact on the confidentiality of the application. There is no impact on integrity or availability." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-532: Insertion of Sensitive Information into Log File", + "cweId": "CWE-532" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "SAP_SE", + "product": { + "product_data": [ + { + "product_name": "SAP Web Dispatcher and Internet Communication Manager", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "KRNL64UC 7.53" + }, + { + "version_affected": "=", + "version_value": "WEBDISP 7.53" + }, + { + "version_affected": "=", + "version_value": "7.54" + }, + { + "version_affected": "=", + "version_value": "7.77" + }, + { + "version_affected": "=", + "version_value": "7.89" + }, + { + "version_affected": "=", + "version_value": "7.93" + }, + { + "version_affected": "=", + "version_value": "KERNEL 7.53" + }, + { + "version_affected": "=", + "version_value": "9.14" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://me.sap.com/notes/3558132", + "refsource": "MISC", + "name": "https://me.sap.com/notes/3558132" + }, + { + "url": "https://url.sap/sapsecuritypatchday", + "refsource": "MISC", + "name": "https://url.sap/sapsecuritypatchday" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.2.0" + }, + "source": { + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 4.9, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "privilegesRequired": "HIGH", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", + "version": "3.1" } ] } diff --git a/2025/23xxx/CVE-2025-23185.json b/2025/23xxx/CVE-2025-23185.json index b889f29d0e0..5a4b07e94fc 100644 --- a/2025/23xxx/CVE-2025-23185.json +++ b/2025/23xxx/CVE-2025-23185.json @@ -1,17 +1,100 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2025-23185", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cna@sap.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Due to improper error handling in SAP Business Objects Business Intelligence Platform, technical details of the application are revealed in exceptions thrown to the user and in stack traces. Only an attacker with administrator level privileges has access to this disclosed information, and they could use it to craft further exploits. There is no impact on the integrity and availability of the application." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-209: Generation of Error Message Containing Sensitive Information", + "cweId": "CWE-209" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "SAP_SE", + "product": { + "product_data": [ + { + "product_name": "SAP Business Objects Business Intelligence Platform", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "ENTERPRISE 430" + }, + { + "version_affected": "=", + "version_value": "2025" + }, + { + "version_affected": "=", + "version_value": "2027" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://me.sap.com/notes/3549494", + "refsource": "MISC", + "name": "https://me.sap.com/notes/3549494" + }, + { + "url": "https://url.sap/sapsecuritypatchday", + "refsource": "MISC", + "name": "https://url.sap/sapsecuritypatchday" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.2.0" + }, + "source": { + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 4.1, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "NONE", + "privilegesRequired": "HIGH", + "scope": "CHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N", + "version": "3.1" } ] } diff --git a/2025/23xxx/CVE-2025-23188.json b/2025/23xxx/CVE-2025-23188.json index 5acad389cc2..05dbea435bf 100644 --- a/2025/23xxx/CVE-2025-23188.json +++ b/2025/23xxx/CVE-2025-23188.json @@ -1,17 +1,124 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2025-23188", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cna@sap.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "An authenticated user with low privileges can exploit a missing authorization check in an IBS module of FS-RBD, allowing unauthorized access to perform actions beyond their intended permissions. This causes a low impact on integrity with no impact on confidentiality and availability." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-862: Missing Authorization", + "cweId": "CWE-862" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "SAP_SE", + "product": { + "product_data": [ + { + "product_name": "SAP S/4HANA (RBD)", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "S4CORE 102" + }, + { + "version_affected": "=", + "version_value": "103" + }, + { + "version_affected": "=", + "version_value": "104" + }, + { + "version_affected": "=", + "version_value": "105" + }, + { + "version_affected": "=", + "version_value": "106" + }, + { + "version_affected": "=", + "version_value": "107" + }, + { + "version_affected": "=", + "version_value": "108" + }, + { + "version_affected": "=", + "version_value": "EA-FINSERV 618" + }, + { + "version_affected": "=", + "version_value": "EA-FINSERV 800" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://me.sap.com/notes/3557131", + "refsource": "MISC", + "name": "https://me.sap.com/notes/3557131" + }, + { + "url": "https://url.sap/sapsecuritypatchday", + "refsource": "MISC", + "name": "https://url.sap/sapsecuritypatchday" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.2.0" + }, + "source": { + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 4.3, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "version": "3.1" } ] } diff --git a/2025/23xxx/CVE-2025-23194.json b/2025/23xxx/CVE-2025-23194.json index bc4839e248e..69ed35b6e15 100644 --- a/2025/23xxx/CVE-2025-23194.json +++ b/2025/23xxx/CVE-2025-23194.json @@ -1,17 +1,92 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2025-23194", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cna@sap.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "SAP NetWeaver Enterprise Portal OBN does not perform proper authentication check for a particular configuration setting. As result, a non-authenticated user can set it to an undesired value causing low impact on integrity. There is no impact on confidentiality or availability of the application." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-306: Missing Authentication for Critical Function", + "cweId": "CWE-306" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "SAP_SE", + "product": { + "product_data": [ + { + "product_name": "SAP NetWeaver Enterprise Portal (OBN component)", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "EP-RUNTIME 7.50" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://me.sap.com/notes/3561792", + "refsource": "MISC", + "name": "https://me.sap.com/notes/3561792" + }, + { + "url": "https://url.sap/sapsecuritypatchday", + "refsource": "MISC", + "name": "https://url.sap/sapsecuritypatchday" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.2.0" + }, + "source": { + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 5.3, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "version": "3.1" } ] } diff --git a/2025/25xxx/CVE-2025-25242.json b/2025/25xxx/CVE-2025-25242.json index 8f749098840..d8e7b325f8d 100644 --- a/2025/25xxx/CVE-2025-25242.json +++ b/2025/25xxx/CVE-2025-25242.json @@ -1,17 +1,132 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2025-25242", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cna@sap.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "SAP NetWeaver Application Server ABAP allows malicious scripts to be executed in the application, potentially leading to a Cross-Site Scripting (XSS) vulnerability. This has no impact on the availability of the application, but it can have some minor impact on its confidentiality and integrity." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "cweId": "CWE-79" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "SAP_SE", + "product": { + "product_data": [ + { + "product_name": "SAP NetWeaver Application Server ABAP", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "SAP_BASIS 740" + }, + { + "version_affected": "=", + "version_value": "SAP_BASIS 750" + }, + { + "version_affected": "=", + "version_value": "SAP_BASIS 751" + }, + { + "version_affected": "=", + "version_value": "SAP_BASIS 752" + }, + { + "version_affected": "=", + "version_value": "SAP_BASIS 753" + }, + { + "version_affected": "=", + "version_value": "SAP_BASIS 754" + }, + { + "version_affected": "=", + "version_value": "SAP_BASIS 755" + }, + { + "version_affected": "=", + "version_value": "SAP_BASIS 756" + }, + { + "version_affected": "=", + "version_value": "SAP_BASIS 757" + }, + { + "version_affected": "=", + "version_value": "SAP_BASIS 758" + }, + { + "version_affected": "=", + "version_value": "SAP_BASIS 914" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://me.sap.com/notes/3562390", + "refsource": "MISC", + "name": "https://me.sap.com/notes/3562390" + }, + { + "url": "https://url.sap/sapsecuritypatchday", + "refsource": "MISC", + "name": "https://url.sap/sapsecuritypatchday" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.2.0" + }, + "source": { + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 6.1, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "version": "3.1" } ] } diff --git a/2025/25xxx/CVE-2025-25244.json b/2025/25xxx/CVE-2025-25244.json index ba9f21ee91d..6f56b33341b 100644 --- a/2025/25xxx/CVE-2025-25244.json +++ b/2025/25xxx/CVE-2025-25244.json @@ -1,17 +1,156 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2025-25244", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cna@sap.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "SAP Business Warehouse (Process Chains) allows an attacker to manipulate the process execution due to missing authorization check. An attacker with display authorization for the process chain object could set one or all processes to be skipped. This means corresponding activities, such as data loading, activation, or deletion, will not be executed as initially modeled. This could lead to unexpected results in business reporting leading to a significant impact on integrity. However, there is no impact on confidentiality or availability." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-862: Missing Authorization", + "cweId": "CWE-862" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "SAP_SE", + "product": { + "product_data": [ + { + "product_name": "SAP Business Warehouse (Process Chains)", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "DW4CORE 100" + }, + { + "version_affected": "=", + "version_value": "200" + }, + { + "version_affected": "=", + "version_value": "300" + }, + { + "version_affected": "=", + "version_value": "400" + }, + { + "version_affected": "=", + "version_value": "914" + }, + { + "version_affected": "=", + "version_value": "SAP_BW 730" + }, + { + "version_affected": "=", + "version_value": "731" + }, + { + "version_affected": "=", + "version_value": "740" + }, + { + "version_affected": "=", + "version_value": "750" + }, + { + "version_affected": "=", + "version_value": "751" + }, + { + "version_affected": "=", + "version_value": "752" + }, + { + "version_affected": "=", + "version_value": "753" + }, + { + "version_affected": "=", + "version_value": "754" + }, + { + "version_affected": "=", + "version_value": "755" + }, + { + "version_affected": "=", + "version_value": "756" + }, + { + "version_affected": "=", + "version_value": "757" + }, + { + "version_affected": "=", + "version_value": "758" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://me.sap.com/notes/3552144", + "refsource": "MISC", + "name": "https://me.sap.com/notes/3552144" + }, + { + "url": "https://url.sap/sapsecuritypatchday", + "refsource": "MISC", + "name": "https://url.sap/sapsecuritypatchday" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.2.0" + }, + "source": { + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "ADJACENT_NETWORK", + "availabilityImpact": "NONE", + "baseScore": 5.7, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", + "version": "3.1" } ] } diff --git a/2025/25xxx/CVE-2025-25245.json b/2025/25xxx/CVE-2025-25245.json index b90b2c3fa24..04804eb1ec6 100644 --- a/2025/25xxx/CVE-2025-25245.json +++ b/2025/25xxx/CVE-2025-25245.json @@ -1,17 +1,96 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2025-25245", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cna@sap.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "SAP BusinessObjects Business Intelligence Platform (Web Intelligence) contains a deprecated web application endpoint that is not properly secured. An attacker could take advantage of this by injecting a malicious url in the data returned to the user. On successful exploitation, there could be a limited impact on confidentiality and integrity within the scope of victim\ufffds browser. There is no impact on availability." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "cweId": "CWE-79" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "SAP_SE", + "product": { + "product_data": [ + { + "product_name": "SAP BusinessObjects Business Intelligence Platform (Web Intelligence)", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "ENTERPRISE 430" + }, + { + "version_affected": "=", + "version_value": "2025" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://me.sap.com/notes/3557469", + "refsource": "MISC", + "name": "https://me.sap.com/notes/3557469" + }, + { + "url": "https://url.sap/sapsecuritypatchday", + "refsource": "MISC", + "name": "https://url.sap/sapsecuritypatchday" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.2.0" + }, + "source": { + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 5.4, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", + "version": "3.1" } ] } diff --git a/2025/26xxx/CVE-2025-26655.json b/2025/26xxx/CVE-2025-26655.json index 3c2e487b335..ccccc1fbb79 100644 --- a/2025/26xxx/CVE-2025-26655.json +++ b/2025/26xxx/CVE-2025-26655.json @@ -1,17 +1,116 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2025-26655", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cna@sap.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "SAP Just In Time(JIT) does not perform necessary authorization checks for an authenticated user, allowing attacker to escalate privileges that would otherwise be restricted, potentially causing a low impact on the integrity of the application.Confidentiality and Availability are not impacted." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-862: Missing Authorization", + "cweId": "CWE-862" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "SAP_SE", + "product": { + "product_data": [ + { + "product_name": "SAP Just In Time", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "S4CORE 102" + }, + { + "version_affected": "=", + "version_value": "103" + }, + { + "version_affected": "=", + "version_value": "104" + }, + { + "version_affected": "=", + "version_value": "105" + }, + { + "version_affected": "=", + "version_value": "106" + }, + { + "version_affected": "=", + "version_value": "107" + }, + { + "version_affected": "=", + "version_value": "ECC-DIMP 618" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://me.sap.com/notes/3347991", + "refsource": "MISC", + "name": "https://me.sap.com/notes/3347991" + }, + { + "url": "https://url.sap/sapsecuritypatchday", + "refsource": "MISC", + "name": "https://url.sap/sapsecuritypatchday" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.2.0" + }, + "source": { + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 3.1, + "baseSeverity": "LOW", + "confidentialityImpact": "NONE", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N", + "version": "3.1" } ] } diff --git a/2025/26xxx/CVE-2025-26656.json b/2025/26xxx/CVE-2025-26656.json index 4e8d2f21145..20c37cd1a45 100644 --- a/2025/26xxx/CVE-2025-26656.json +++ b/2025/26xxx/CVE-2025-26656.json @@ -1,17 +1,104 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2025-26656", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cna@sap.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "OData Service in Manage Purchasing Info Records does not perform necessary authorization checks for an authenticated user, allowing an attacker to escalate privileges. This has low impact on integrity of the application." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-862: Missing Authorization", + "cweId": "CWE-862" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "SAP_SE", + "product": { + "product_data": [ + { + "product_name": "S/4HANA (Manage Purchasing Info Records)", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "S4CORE 105" + }, + { + "version_affected": "=", + "version_value": "106" + }, + { + "version_affected": "=", + "version_value": "107" + }, + { + "version_affected": "=", + "version_value": "108" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://me.sap.com/notes/3474392", + "refsource": "MISC", + "name": "https://me.sap.com/notes/3474392" + }, + { + "url": "https://url.sap/sapsecuritypatchday", + "refsource": "MISC", + "name": "https://url.sap/sapsecuritypatchday" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.2.0" + }, + "source": { + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 4.3, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "version": "3.1" } ] } diff --git a/2025/26xxx/CVE-2025-26658.json b/2025/26xxx/CVE-2025-26658.json index 3c86f390b9d..6af1033b3e4 100644 --- a/2025/26xxx/CVE-2025-26658.json +++ b/2025/26xxx/CVE-2025-26658.json @@ -1,17 +1,96 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2025-26658", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cna@sap.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The Service Layer in SAP Business One, allows attackers to potentially gain unauthorized access and impersonate other users in the application to perform unauthorized actions. Due to the improper session management, the attackers can elevate themselves to higher privilege and can read, modify and/or write new data. To gain authenticated sessions of other users, the attacker must invest considerable time and effort. This vulnerability has a high impact on the confidentiality and integrity of the application with no effect on the availability of the application." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-384: Session Fixation", + "cweId": "CWE-384" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "SAP_SE", + "product": { + "product_data": [ + { + "product_name": "SAP Business One (Service Layer)", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "B1_ON_HANA 10.0" + }, + { + "version_affected": "=", + "version_value": "SAP-M-BO 10.0" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://me.sap.com/notes/3561045", + "refsource": "MISC", + "name": "https://me.sap.com/notes/3561045" + }, + { + "url": "https://url.sap/sapsecuritypatchday", + "refsource": "MISC", + "name": "https://url.sap/sapsecuritypatchday" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.2.0" + }, + "source": { + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 6.8, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", + "version": "3.1" } ] } diff --git a/2025/26xxx/CVE-2025-26659.json b/2025/26xxx/CVE-2025-26659.json index b5d090a6195..9e09d3c9ddc 100644 --- a/2025/26xxx/CVE-2025-26659.json +++ b/2025/26xxx/CVE-2025-26659.json @@ -1,17 +1,116 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2025-26659", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cna@sap.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "SAP NetWeaver Application Server ABAP does not sufficiently encode user-controlled inputs, leading to DOM-basedCross-Site Scripting (XSS) vulnerability. This allows an attacker with no privileges, to craft a malicious web message that exploits WEBGUI functionality. On successful exploitation, the malicious JavaScript payload executes in the scope of victim\ufffds browser potentially compromising their data and/or manipulating browser content. This leads to a limited impact on confidentiality and integrity. There is no impact on availability" + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "cweId": "CWE-79" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "SAP_SE", + "product": { + "product_data": [ + { + "product_name": "SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "KRNL64UC 7.53" + }, + { + "version_affected": "=", + "version_value": "KERNEL 7.53" + }, + { + "version_affected": "=", + "version_value": "KERNEL 7.54" + }, + { + "version_affected": "=", + "version_value": "KERNEL 7.77" + }, + { + "version_affected": "=", + "version_value": "KERNEL 7.89" + }, + { + "version_affected": "=", + "version_value": "KERNEL 7.93" + }, + { + "version_affected": "=", + "version_value": "KERNEL 9.14" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://me.sap.com/notes/3552824", + "refsource": "MISC", + "name": "https://me.sap.com/notes/3552824" + }, + { + "url": "https://url.sap/sapsecuritypatchday", + "refsource": "MISC", + "name": "https://url.sap/sapsecuritypatchday" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.2.0" + }, + "source": { + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 6.1, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "version": "3.1" } ] } diff --git a/2025/26xxx/CVE-2025-26660.json b/2025/26xxx/CVE-2025-26660.json index 59dfb254a87..934078977be 100644 --- a/2025/26xxx/CVE-2025-26660.json +++ b/2025/26xxx/CVE-2025-26660.json @@ -1,17 +1,112 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2025-26660", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cna@sap.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "SAP Fiori applications using the posting library fail to properly configure security settings during the setup process, leaving them at default or inadequately defined. This vulnerability allows an attacker with low privileges to bypass access controls within the application, enabling them to potentially modify data. Confidentiality and Availability are not impacted." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-639: Authorization Bypass Through User-Controlled Key", + "cweId": "CWE-639" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "SAP_SE", + "product": { + "product_data": [ + { + "product_name": "SAP Fiori apps (Posting Library)", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "S4CORE 103" + }, + { + "version_affected": "=", + "version_value": "104" + }, + { + "version_affected": "=", + "version_value": "105" + }, + { + "version_affected": "=", + "version_value": "106" + }, + { + "version_affected": "=", + "version_value": "107" + }, + { + "version_affected": "=", + "version_value": "108" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://me.sap.com/notes/3557655", + "refsource": "MISC", + "name": "https://me.sap.com/notes/3557655" + }, + { + "url": "https://url.sap/sapsecuritypatchday", + "refsource": "MISC", + "name": "https://url.sap/sapsecuritypatchday" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.2.0" + }, + "source": { + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 4.3, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "version": "3.1" } ] } diff --git a/2025/26xxx/CVE-2025-26661.json b/2025/26xxx/CVE-2025-26661.json index a627001445e..dd252897a81 100644 --- a/2025/26xxx/CVE-2025-26661.json +++ b/2025/26xxx/CVE-2025-26661.json @@ -1,17 +1,148 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2025-26661", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cna@sap.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Due to missing authorization check, SAP NetWeaver (ABAP Class Builder) allows an attacker to gain higher access levels than they should have, resulting in escalation of privileges. On successful exploitation, this could result in disclosure of highly sensitive information. It could also have a high impact on the integrity and availability of the application." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-862: Missing Authorization", + "cweId": "CWE-862" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "SAP_SE", + "product": { + "product_data": [ + { + "product_name": "SAP NetWeaver (ABAP Class Builder)", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "SAP_BASIS 700" + }, + { + "version_affected": "=", + "version_value": "SAP_BASIS 701" + }, + { + "version_affected": "=", + "version_value": "SAP_BASIS 702" + }, + { + "version_affected": "=", + "version_value": "SAP_BASIS 731" + }, + { + "version_affected": "=", + "version_value": "SAP_BASIS 740" + }, + { + "version_affected": "=", + "version_value": "SAP_BASIS 750" + }, + { + "version_affected": "=", + "version_value": "SAP_BASIS 751" + }, + { + "version_affected": "=", + "version_value": "SAP_BASIS 752" + }, + { + "version_affected": "=", + "version_value": "SAP_BASIS 753" + }, + { + "version_affected": "=", + "version_value": "SAP_BASIS 754" + }, + { + "version_affected": "=", + "version_value": "SAP_BASIS 755" + }, + { + "version_affected": "=", + "version_value": "SAP_BASIS 756" + }, + { + "version_affected": "=", + "version_value": "SAP_BASIS 757" + }, + { + "version_affected": "=", + "version_value": "SAP_BASIS 758" + }, + { + "version_affected": "=", + "version_value": "SAP_BASIS 914" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://me.sap.com/notes/3563927", + "refsource": "MISC", + "name": "https://me.sap.com/notes/3563927" + }, + { + "url": "https://url.sap/sapsecuritypatchday", + "refsource": "MISC", + "name": "https://url.sap/sapsecuritypatchday" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.2.0" + }, + "source": { + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 8.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "version": "3.1" } ] } diff --git a/2025/27xxx/CVE-2025-27430.json b/2025/27xxx/CVE-2025-27430.json index 14b028a99d2..b44a42c92e3 100644 --- a/2025/27xxx/CVE-2025-27430.json +++ b/2025/27xxx/CVE-2025-27430.json @@ -1,17 +1,188 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2025-27430", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cna@sap.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Under certain conditions, an SSRF vulnerability in SAP CRM and SAP S/4HANA (Interaction Center) allows an attacker with low privileges to access restricted information. This flaw enables the attacker to send requests to internal network resources, thereby compromising the application's confidentiality. There is no impact on integrity or availability" + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-918: Server-Side Request Forgery (SSRF)", + "cweId": "CWE-918" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "SAP_SE", + "product": { + "product_data": [ + { + "product_name": "SAP CRM and SAP S/4HANA (Interaction Center)", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "S4CRM 100" + }, + { + "version_affected": "=", + "version_value": "200" + }, + { + "version_affected": "=", + "version_value": "204" + }, + { + "version_affected": "=", + "version_value": "205" + }, + { + "version_affected": "=", + "version_value": "206" + }, + { + "version_affected": "=", + "version_value": "S4FND 102" + }, + { + "version_affected": "=", + "version_value": "103" + }, + { + "version_affected": "=", + "version_value": "104" + }, + { + "version_affected": "=", + "version_value": "105" + }, + { + "version_affected": "=", + "version_value": "106" + }, + { + "version_affected": "=", + "version_value": "107" + }, + { + "version_affected": "=", + "version_value": "108" + }, + { + "version_affected": "=", + "version_value": "S4CEXT 107" + }, + { + "version_affected": "=", + "version_value": "BBPCRM 701" + }, + { + "version_affected": "=", + "version_value": "702" + }, + { + "version_affected": "=", + "version_value": "712" + }, + { + "version_affected": "=", + "version_value": "713" + }, + { + "version_affected": "=", + "version_value": "714" + }, + { + "version_affected": "=", + "version_value": "WEBCUIF 701" + }, + { + "version_affected": "=", + "version_value": "731" + }, + { + "version_affected": "=", + "version_value": "746" + }, + { + "version_affected": "=", + "version_value": "747" + }, + { + "version_affected": "=", + "version_value": "748" + }, + { + "version_affected": "=", + "version_value": "800" + }, + { + "version_affected": "=", + "version_value": "801" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://me.sap.com/notes/3561861", + "refsource": "MISC", + "name": "https://me.sap.com/notes/3561861" + }, + { + "url": "https://url.sap/sapsecuritypatchday", + "refsource": "MISC", + "name": "https://url.sap/sapsecuritypatchday" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.2.0" + }, + "source": { + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 3.5, + "baseSeverity": "LOW", + "confidentialityImpact": "LOW", + "integrityImpact": "NONE", + "privilegesRequired": "LOW", + "scope": "CHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N", + "version": "3.1" } ] } diff --git a/2025/27xxx/CVE-2025-27431.json b/2025/27xxx/CVE-2025-27431.json index a423b544934..2e0f86155a1 100644 --- a/2025/27xxx/CVE-2025-27431.json +++ b/2025/27xxx/CVE-2025-27431.json @@ -1,17 +1,92 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2025-27431", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cna@sap.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "User management functionality in SAP NetWeaver Application Server Java is vulnerable to Stored Cross-Site Scripting (XSS). This could enable an attacker to inject malicious payload that gets stored and executed when a user accesses the functionality, hence leading to information disclosure or unauthorized data modifications within the scope of victim\ufffds browser. There is no impact on availability." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "cweId": "CWE-79" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "SAP_SE", + "product": { + "product_data": [ + { + "product_name": "SAP NetWeaver Application Server Java", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "AJAX-RUNTIME 7.50" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://me.sap.com/notes/3567246", + "refsource": "MISC", + "name": "https://me.sap.com/notes/3567246" + }, + { + "url": "https://url.sap/sapsecuritypatchday", + "refsource": "MISC", + "name": "https://url.sap/sapsecuritypatchday" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.2.0" + }, + "source": { + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 5.4, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", + "version": "3.1" } ] } diff --git a/2025/27xxx/CVE-2025-27432.json b/2025/27xxx/CVE-2025-27432.json index a4c9e416c34..50fcd4e01ee 100644 --- a/2025/27xxx/CVE-2025-27432.json +++ b/2025/27xxx/CVE-2025-27432.json @@ -1,17 +1,124 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2025-27432", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cna@sap.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The eDocument Cockpit (Inbound NF-e) in SAP Electronic Invoicing for Brazil allows an authenticated attacker with certain privileges to gain unauthorized access to each transaction. By executing the specific ABAP method within the ABAP system, an unauthorized attacker could call each transaction and view the inbound delivery details. This vulnerability has a low impact on the confidentiality with no effect on the integrity and the availability of the application." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-862: Missing Authorization", + "cweId": "CWE-862" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "SAP_SE", + "product": { + "product_data": [ + { + "product_name": "SAP Electronic Invoicing for Brazil (eDocument Cockpit)", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "SAP_APPL 617" + }, + { + "version_affected": "=", + "version_value": "618" + }, + { + "version_affected": "=", + "version_value": "S4CORE 102" + }, + { + "version_affected": "=", + "version_value": "103" + }, + { + "version_affected": "=", + "version_value": "104" + }, + { + "version_affected": "=", + "version_value": "105" + }, + { + "version_affected": "=", + "version_value": "106" + }, + { + "version_affected": "=", + "version_value": "107" + }, + { + "version_affected": "=", + "version_value": "108" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://me.sap.com/notes/3568865", + "refsource": "MISC", + "name": "https://me.sap.com/notes/3568865" + }, + { + "url": "https://url.sap/sapsecuritypatchday", + "refsource": "MISC", + "name": "https://url.sap/sapsecuritypatchday" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.2.0" + }, + "source": { + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "ADJACENT_NETWORK", + "availabilityImpact": "NONE", + "baseScore": 2.4, + "baseSeverity": "LOW", + "confidentialityImpact": "LOW", + "integrityImpact": "NONE", + "privilegesRequired": "HIGH", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", + "version": "3.1" } ] } diff --git a/2025/27xxx/CVE-2025-27433.json b/2025/27xxx/CVE-2025-27433.json index 6fc220083d3..0295bead0bf 100644 --- a/2025/27xxx/CVE-2025-27433.json +++ b/2025/27xxx/CVE-2025-27433.json @@ -1,17 +1,96 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2025-27433", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cna@sap.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The Manage Bank Statements in SAP S/4HANA allows authenticated attacker to bypass certain functionality restrictions of the application and upload files to a reversed bank statement. This vulnerability has a low impact on the application's integrity, with no effect on confidentiality and availability of the application." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-639: Authorization Bypass Through User-Controlled Key", + "cweId": "CWE-639" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "SAP_SE", + "product": { + "product_data": [ + { + "product_name": "SAP S/4HANA (Manage Bank Statements)", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "S4CORE 107" + }, + { + "version_affected": "=", + "version_value": "108" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://me.sap.com/notes/3565835", + "refsource": "MISC", + "name": "https://me.sap.com/notes/3565835" + }, + { + "url": "https://url.sap/sapsecuritypatchday", + "refsource": "MISC", + "name": "https://url.sap/sapsecuritypatchday" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.2.0" + }, + "source": { + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 4.3, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "version": "3.1" } ] } diff --git a/2025/27xxx/CVE-2025-27434.json b/2025/27xxx/CVE-2025-27434.json index 04b8360439c..88471ac87b7 100644 --- a/2025/27xxx/CVE-2025-27434.json +++ b/2025/27xxx/CVE-2025-27434.json @@ -1,17 +1,92 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2025-27434", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cna@sap.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Due to insufficient input validation, SAP Commerce (Swagger UI) allows an unauthenticated attacker to inject the malicious code from remote sources, which can be leveraged by an attacker to execute a cross-site scripting (XSS) attack. This could lead to a high impact on the confidentiality, integrity, and availability of data in SAP Commerce." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "cweId": "CWE-79" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "SAP_SE", + "product": { + "product_data": [ + { + "product_name": "SAP Commerce (Swagger UI)", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "COM_CLOUD 2211" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://me.sap.com/notes/3569602", + "refsource": "MISC", + "name": "https://me.sap.com/notes/3569602" + }, + { + "url": "https://url.sap/sapsecuritypatchday", + "refsource": "MISC", + "name": "https://url.sap/sapsecuritypatchday" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.2.0" + }, + "source": { + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 8.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "version": "3.1" } ] } diff --git a/2025/27xxx/CVE-2025-27436.json b/2025/27xxx/CVE-2025-27436.json index a76558c8213..b582d269d7b 100644 --- a/2025/27xxx/CVE-2025-27436.json +++ b/2025/27xxx/CVE-2025-27436.json @@ -1,17 +1,96 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2025-27436", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cna@sap.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The Manage Bank Statements in SAP S/4HANA does not perform required access control checks for an authenticated user to confirm whether a request to interact with a resource is legitimate, allowing the attacker to delete the attachment of a posted bank statement. This leads to a low impact on integrity, with no impact on the confidentiality of the data or the availability of the application." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-639: Authorization Bypass Through User-Controlled Key", + "cweId": "CWE-639" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "SAP_SE", + "product": { + "product_data": [ + { + "product_name": "SAP S/4HANA (Manage Bank Statements)", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "S4CORE 107" + }, + { + "version_affected": "=", + "version_value": "108" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://me.sap.com/notes/3565835", + "refsource": "MISC", + "name": "https://me.sap.com/notes/3565835" + }, + { + "url": "https://url.sap/sapsecuritypatchday", + "refsource": "MISC", + "name": "https://url.sap/sapsecuritypatchday" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.2.0" + }, + "source": { + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 4.3, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "version": "3.1" } ] }