Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-29185
Publication date:
11/04/2023
SAP NetWeaver AS for ABAP (Business Server Pages) - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, allows an attacker authenticated as a non-administrative user to craft a request with certain parameters in certain circumstances which can consume the server&amp;#39;s resources sufficiently to make it unavailable over the network without any user interaction.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
18/04/2023

CVE-2023-29186
Publication date:
11/04/2023
In SAP NetWeaver (BI CONT ADDON) - versions 707, 737, 747, 757, an attacker can exploit a directory traversal flaw in a report to upload and overwrite files on the SAP server. Data cannot be read but if a remote attacker has sufficient (administrative) privileges then potentially critical OS files can be overwritten making the system unavailable.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
18/04/2023

CVE-2023-29110
Publication date:
11/04/2023
The SAP Application Interface (Message Dashboard) - versions AIF 703, AIFX 702, S4CORE 100, 101, SAP_BASIS 755, 756, SAP_ABA 75C, 75D, 75E, application allows the usage HTML tags. An authorized attacker can use some of the basic HTML codes such as heading, basic formatting and lists, then an attacker can inject images from the foreign domains. After successful exploitations, an attacker can cause limited impact on the confidentiality and integrity of the application.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
18/04/2023

CVE-2023-24527
Publication date:
11/04/2023
SAP NetWeaver AS Java for Deploy Service - version 7.5, does not perform any access control checks for functionalities that require user identity enabling an unauthenticated attacker to attach to an open interface and make use of an open naming and directory API to access a service which will enable them to access but not modify server settings and data with no effect on availability and integrity.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
14/04/2023

CVE-2023-26458
Publication date:
11/04/2023
An information disclosure vulnerability exists in SAP Landscape Management - version 3.0, enterprise edition. It allows an authenticated SAP Landscape Management user to obtain privileged access to other systems making those other systems vulnerable to information disclosure and modification.The disclosed information is for Diagnostics Agent Connection via Java SCS Message Server of an SAP Solution Manager system and can only be accessed by authenticated SAP Landscape Management users, but they can escalate their privileges to the SAP Solution Manager system.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
14/04/2023

CVE-2023-27267
Publication date:
11/04/2023
Due to missing authentication and insufficient input validation, the OSCommand Bridge of SAP Diagnostics Agent - version 720, allows an attacker with deep knowledge of the system to execute scripts on all connected Diagnostics Agents. On successful exploitation, the attacker can completely compromise confidentiality, integrity and availability of the system.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
14/04/2023

CVE-2023-27897
Publication date:
11/04/2023
In SAP CRM - versions 700, 701, 702, 712, 713, an attacker who is authenticated with a non-administrative role and a common remote execution authorization can use a vulnerable interface to execute an application function to perform actions which they would not normally be permitted to perform. Depending on the function executed, the attack can can have limited impact on confidentiality and integrity of non-critical user or application data and application availability.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
14/04/2023

CVE-2023-28761
Publication date:
11/04/2023
In SAP NetWeaver Enterprise Portal - version 7.50, an unauthenticated attacker can attach to an open interface and make use of an open API to access a service which will enable them to access or modify server settings and data, leading to limited impact on confidentiality and integrity.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
14/04/2023

CVE-2023-28763
Publication date:
11/04/2023
SAP NetWeaver AS for ABAP and ABAP Platform - versions 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, allows an attacker authenticated as a non-administrative user to craft a request with certain parameters which can consume the server&amp;#39;s resources sufficiently to make it unavailable over the network without any user interaction.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
14/04/2023

CVE-2023-28765
Publication date:
11/04/2023
An attacker with basic privileges in SAP BusinessObjects Business Intelligence Platform (Promotion Management) - versions 420, 430, can get access to lcmbiar file and further decrypt the file. After this attacker can gain access to BI user’s passwords and depending on the privileges of the BI user, the attacker can perform operations that can completely compromise the application.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
14/04/2023

CVE-2023-1903
Publication date:
11/04/2023
SAP HCM Fiori App My Forms (Fiori 2.0) - version 605, does not perform necessary authorization checks for an authenticated user exposing the restricted header data.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
18/04/2023

CVE-2023-29108
Publication date:
11/04/2023
The IP filter in ABAP Platform and SAP Web Dispatcher - versions WEBDISP 7.85, 7.89, KERNEL 7.85, 7.89, 7.91, may be vulnerable by erroneous IP netmask handling. This may enable access to backend applications from unwanted sources.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
18/04/2023
Subscribe to Vulnerabilities