CVE-2025-27436

CVE-2025-27436

Título es
CVE-2025-27436

Mar, 11/03/2025 – 01:15

Tipo
CWE-639

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2025-27436

Descripción en
The Manage Bank Statements in SAP S/4HANA does not perform required access control checks for an authenticated user to confirm whether a request to interact with a resource is legitimate, allowing the attacker to delete the attachment of a posted bank statement. This leads to a low impact on integrity, with no impact on the confidentiality of the data or the availability of the application.

11/03/2025

11/03/2025

Vector CVSS:3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Gravedad 3.1 (CVSS 3.1 Base Score)
4.30

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
MEDIUM

Referencias


  • https://me.sap.com/notes/3565835

  • https://url.sap/sapsecuritypatchday

    • Enviar en el boletín
    Off

    CVE-2025-27434

    CVE-2025-27434

    Título es
    CVE-2025-27434

    Mar, 11/03/2025 – 01:15

    Tipo
    CWE-79

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-27434

    Descripción en
    Due to insufficient input validation, SAP Commerce (Swagger UI) allows an unauthenticated attacker to inject the malicious code from remote sources, which can be leveraged by an attacker to execute a cross-site scripting (XSS) attack. This could lead to a high impact on the confidentiality, integrity, and availability of data in SAP Commerce.

    11/03/2025

    11/03/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    8.80

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias


  • https://me.sap.com/notes/3569602

  • https://url.sap/sapsecuritypatchday

    • Enviar en el boletín
    Off

    CVE-2025-27433

    CVE-2025-27433

    Título es
    CVE-2025-27433

    Mar, 11/03/2025 – 01:15

    Tipo
    CWE-639

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-27433

    Descripción en
    The Manage Bank Statements in SAP S/4HANA allows authenticated attacker to bypass certain functionality restrictions of the application and upload files to a reversed bank statement. This vulnerability has a low impact on the application's integrity, with no effect on confidentiality and availability of the application.

    11/03/2025

    11/03/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    4.30

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias


  • https://me.sap.com/notes/3565835

  • https://url.sap/sapsecuritypatchday

    • Enviar en el boletín
    Off

    CVE-2025-27432

    CVE-2025-27432

    Título es
    CVE-2025-27432

    Mar, 11/03/2025 – 01:15

    Tipo
    CWE-862

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-27432

    Descripción en
    The eDocument Cockpit (Inbound NF-e) in SAP Electronic Invoicing for Brazil allows an authenticated attacker with certain privileges to gain unauthorized access to each transaction. By executing the specific ABAP method within the ABAP system, an unauthorized attacker could call each transaction and view the inbound delivery details. This vulnerability has a low impact on the confidentiality with no effect on the integrity and the availability of the application.

    11/03/2025

    11/03/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    2.40

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    LOW

    Referencias


  • https://me.sap.com/notes/3568865

  • https://url.sap/sapsecuritypatchday

    • Enviar en el boletín
    Off

    CVE-2025-27431

    CVE-2025-27431

    Título es
    CVE-2025-27431

    Mar, 11/03/2025 – 01:15

    Tipo
    CWE-79

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-27431

    Descripción en
    User management functionality in SAP NetWeaver Application Server Java is vulnerable to Stored Cross-Site Scripting (XSS). This could enable an attacker to inject malicious payload that gets stored and executed when a user accesses the functionality, hence leading to information disclosure or unauthorized data modifications within the scope of victim�s browser. There is no impact on availability.

    11/03/2025

    11/03/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    5.40

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias


  • https://me.sap.com/notes/3567246

  • https://url.sap/sapsecuritypatchday

    • Enviar en el boletín
    Off

    CVE-2025-27430

    CVE-2025-27430

    Título es
    CVE-2025-27430

    Mar, 11/03/2025 – 01:15

    Tipo
    CWE-918

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-27430

    Descripción en
    Under certain conditions, an SSRF vulnerability in SAP CRM and SAP S/4HANA (Interaction Center) allows an attacker with low privileges to access restricted information. This flaw enables the attacker to send requests to internal network resources, thereby compromising the application's confidentiality. There is no impact on integrity or availability

    11/03/2025

    11/03/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    3.50

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    LOW

    Referencias


  • https://me.sap.com/notes/3561861

  • https://url.sap/sapsecuritypatchday

    • Enviar en el boletín
    Off

    CVE-2024-12010

    CVE-2024-12010

    Título es
    CVE-2024-12010

    Mar, 11/03/2025 – 02:15

    Tipo
    CWE-78

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-12010

    Descripción en
    A post-authentication command injection vulnerability in the ”zyUtilMailSend” function of the Zyxel AX7501-B1 firmware version V5.17(ABPC.5.3)C0 and earlier could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on a vulnerable device.

    11/03/2025

    11/03/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    7.20

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias


  • https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-post-authentication-command-injection-vulnerabilities-in-certain-dsl-ethernet-cpe-fiber-ont-and-wifi-extender-devices-03-11-2025

    • Enviar en el boletín
    Off

    CVE-2024-12009

    CVE-2024-12009

    Título es
    CVE-2024-12009

    Mar, 11/03/2025 – 02:15

    Tipo
    CWE-78

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-12009

    Descripción en
    A post-authentication command injection vulnerability in the "ZyEE" function of the Zyxel EX5601-T1 firmware version V5.70(ACDZ.3.6)C0 and earlier could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on a vulnerable device.

    11/03/2025

    11/03/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    7.20

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias


  • https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-post-authentication-command-injection-vulnerabilities-in-certain-dsl-ethernet-cpe-fiber-ont-and-wifi-extender-devices-03-11-2025

    • Enviar en el boletín
    Off

    CVE-2024-11253

    CVE-2024-11253

    Título es
    CVE-2024-11253

    Mar, 11/03/2025 – 02:15

    Tipo
    CWE-78

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-11253

    Descripción en
    A post-authentication command injection vulnerability in the "DNSServer” parameter of the diagnostic function in the Zyxel VMG8825-T50K firmware version V5.50(ABOM.8.5)C0 and earlier could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on a vulnerable device.

    11/03/2025

    11/03/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    7.20

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias


  • https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-post-authentication-command-injection-vulnerabilities-in-certain-dsl-ethernet-cpe-fiber-ont-and-wifi-extender-devices-03-11-2025

    • Enviar en el boletín
    Off

    CVE-2025-23194

    CVE-2025-23194

    Título es
    CVE-2025-23194

    Mar, 11/03/2025 – 01:15

    Tipo
    CWE-306

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-23194

    Descripción en
    SAP NetWeaver Enterprise Portal OBN does not perform proper authentication check for a particular configuration setting. As result, a non-authenticated user can set it to an undesired value causing low impact on integrity. There is no impact on confidentiality or availability of the application.

    11/03/2025

    11/03/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    5.30

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias


  • https://me.sap.com/notes/3561792

  • https://url.sap/sapsecuritypatchday

    • Enviar en el boletín
    Off