Jose Alexis Correa Valencia, Author at AlterPlex

11 Mar 2025

CVE-2025-23188

Título es
CVE-2025-23188

Mar, 11/03/2025 – 01:15

Tipo
CWE-862

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2025-23188

Descripción en
An authenticated user with low privileges can exploit a missing authorization check in an IBS module of FS-RBD, allowing unauthorized access to perform actions beyond their intended permissions. This causes a low impact on integrity with no impact on confidentiality and availability.

11/03/2025

Vector CVSS:3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Gravedad 3.1 (CVSS 3.1 Base Score)
4.30

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
MEDIUM

Referencias

https://me.sap.com/notes/3557131

https://url.sap/sapsecuritypatchday

Enviar en el boletín
Off

11 Mar 2025

CVE-2025-23185

Título es
CVE-2025-23185

Mar, 11/03/2025 – 01:15

Tipo
CWE-209

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2025-23185

Descripción en
Due to improper error handling in SAP Business Objects Business Intelligence Platform, technical details of the application are revealed in exceptions thrown to the user and in stack traces. Only an attacker with administrator level privileges has access to this disclosed information, and they could use it to craft further exploits. There is no impact on the integrity and availability of the application.

11/03/2025

Vector CVSS:3.1
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N

Gravedad 3.1 (CVSS 3.1 Base Score)
4.10

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
MEDIUM

Referencias

https://me.sap.com/notes/3549494

https://url.sap/sapsecuritypatchday

Enviar en el boletín
Off

11 Mar 2025

CVE-2025-26659

Título es
CVE-2025-26659

Mar, 11/03/2025 – 01:15

Tipo
CWE-79

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2025-26659

Descripción en
SAP NetWeaver Application Server ABAP does not sufficiently encode user-controlled inputs, leading to DOM-basedCross-Site Scripting (XSS) vulnerability. This allows an attacker with no privileges, to craft a malicious web message that exploits WEBGUI functionality. On successful exploitation, the malicious JavaScript payload executes in the scope of victim�s browser potentially compromising their data and/or manipulating browser content. This leads to a limited impact on confidentiality and integrity. There is no impact on availability

11/03/2025

Vector CVSS:3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Gravedad 3.1 (CVSS 3.1 Base Score)
6.10

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
MEDIUM

Referencias

https://me.sap.com/notes/3552824

https://url.sap/sapsecuritypatchday

Enviar en el boletín
Off

11 Mar 2025

CVE-2025-26658

Título es
CVE-2025-26658

Mar, 11/03/2025 – 01:15

Tipo
CWE-384

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2025-26658

Descripción en
The Service Layer in SAP Business One, allows attackers to potentially gain unauthorized access and impersonate other users in the application to perform unauthorized actions. Due to the improper session management, the attackers can elevate themselves to higher privilege and can read, modify and/or write new data. To gain authenticated sessions of other users, the attacker must invest considerable time and effort. This vulnerability has a high impact on the confidentiality and integrity of the application with no effect on the availability of the application.

11/03/2025

Vector CVSS:3.1
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Gravedad 3.1 (CVSS 3.1 Base Score)
6.80

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
MEDIUM

Referencias

https://me.sap.com/notes/3561045

https://url.sap/sapsecuritypatchday

Enviar en el boletín
Off

11 Mar 2025

CVE-2025-26656

Título es
CVE-2025-26656

Mar, 11/03/2025 – 01:15

Tipo
CWE-862

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2025-26656

Descripción en
OData Service in Manage Purchasing Info Records does not perform necessary authorization checks for an authenticated user, allowing an attacker to escalate privileges. This has low impact on integrity of the application.

11/03/2025

Vector CVSS:3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Gravedad 3.1 (CVSS 3.1 Base Score)
4.30

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
MEDIUM

Referencias

https://me.sap.com/notes/3474392

https://url.sap/sapsecuritypatchday

Enviar en el boletín
Off

11 Mar 2025

CVE-2025-26655

Título es
CVE-2025-26655

Mar, 11/03/2025 – 01:15

Tipo
CWE-862

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2025-26655

Descripción en
SAP Just In Time(JIT) does not perform necessary authorization checks for an authenticated user, allowing attacker to escalate privileges that would otherwise be restricted, potentially causing a low impact on the integrity of the application.Confidentiality and Availability are not impacted.

11/03/2025

Vector CVSS:3.1
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

Gravedad 3.1 (CVSS 3.1 Base Score)
3.10

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
LOW

Referencias

https://me.sap.com/notes/3347991

https://url.sap/sapsecuritypatchday

Enviar en el boletín
Off

11 Mar 2025

CVE-2025-25245

Título es
CVE-2025-25245

Mar, 11/03/2025 – 01:15

Tipo
CWE-79

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2025-25245

Descripción en
SAP BusinessObjects Business Intelligence Platform (Web Intelligence) contains a deprecated web application endpoint that is not properly secured. An attacker could take advantage of this by injecting a malicious url in the data returned to the user. On successful exploitation, there could be a limited impact on confidentiality and integrity within the scope of victim�s browser. There is no impact on availability.

11/03/2025

Vector CVSS:3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Gravedad 3.1 (CVSS 3.1 Base Score)
5.40

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
MEDIUM

Referencias

https://me.sap.com/notes/3557469

https://url.sap/sapsecuritypatchday

Enviar en el boletín
Off

10 Mar 2025

CVE-2025-2137

Título es
CVE-2025-2137

Lun, 10/03/2025 – 21:15

Tipo
CWE-125

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2025-2137

Descripción en
Out of bounds read in V8 in Google Chrome prior to 134.0.6998.88 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Medium)

10/03/2025

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
Pendiente de análisis

Referencias

https://chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop_10.html

https://issues.chromium.org/issues/398999390

Enviar en el boletín
Off

10 Mar 2025

CVE-2025-2136

Título es
CVE-2025-2136

Lun, 10/03/2025 – 21:15

Tipo
CWE-416

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2025-2136

Descripción en
Use after free in Inspector in Google Chrome prior to 134.0.6998.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

10/03/2025

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
Pendiente de análisis

Referencias

https://chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop_10.html

https://issues.chromium.org/issues/395032416

Enviar en el boletín
Off

10 Mar 2025

CVE-2025-2135

Título es
CVE-2025-2135

Lun, 10/03/2025 – 21:15

Tipo
CWE-843

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2025-2135

Descripción en
Type Confusion in V8 in Google Chrome prior to 134.0.6998.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

10/03/2025

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
Pendiente de análisis

Referencias

https://chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop_10.html

https://issues.chromium.org/issues/400052777

Enviar en el boletín
Off

Autor: Jose Alexis Correa Valencia