Vulnerabilities > SAP > Enable NOW > Medium

DATE CVE VULNERABILITY TITLE RISK
2024-07-09 CVE-2024-34692 Unrestricted Upload of File with Dangerous Type vulnerability in SAP Enable NOW
Due to missing verification of file type or content, SAP Enable Now allows an authenticated attacker to upload arbitrary files.
network
low complexity
sap CWE-434
4.6
2023-07-11 CVE-2023-33988 Cross-site Scripting vulnerability in SAP Enable NOW
In SAP Enable Now - versions WPB_MANAGER 1.0, WPB_MANAGER_CE 10, WPB_MANAGER_HANA 10, ENABLE_NOW_CONSUMP_DEL 1704, the Content-Security-Policy and X-XSS-Protection response headers are not implemented, allowing an unauthenticated attacker to attempt reflected cross-site scripting, which could result in disclosure or modification of information.
network
low complexity
sap CWE-79
6.1
2023-07-11 CVE-2023-36918 Cross-site Scripting vulnerability in SAP Enable NOW
In SAP Enable Now - versions WPB_MANAGER 1.0, WPB_MANAGER_CE 10, WPB_MANAGER_HANA 10, ENABLE_NOW_CONSUMP_DEL 1704, the X-Content-Type-Options response header is not implemented, allowing an unauthenticated attacker to trigger MIME type sniffing, which leads to Cross-Site Scripting, which could result in disclosure or modification of information.
network
low complexity
sap CWE-79
6.1
2023-07-11 CVE-2023-36919 Intentional Information Exposure vulnerability in SAP Enable NOW
In SAP Enable Now - versions WPB_MANAGER 1.0, WPB_MANAGER_CE 10, WPB_MANAGER_HANA 10, ENABLE_NOW_CONSUMP_DEL 1704, the Referrer-Policy response header is not implemented, allowing an unauthenticated attacker to obtain referrer details, resulting in information disclosure.
network
low complexity
sap CWE-213
5.3
2022-10-11 CVE-2022-35297 Cross-site Scripting vulnerability in SAP Enable NOW 10
The application SAP Enable Now does not sufficiently encode user-controlled inputs over the network before it is placed in the output being served to other users, thereby expanding the attack scope, resulting in Stored Cross-Site Scripting (XSS) vulnerability leading to limited impact on Confidentiality, Integrity and Availability.
network
low complexity
sap CWE-79
5.4
2021-06-09 CVE-2021-27637 Unspecified vulnerability in SAP Enable NOW 1.0/10.0
Under certain conditions SAP Enable Now (SAP Workforce Performance Builder - Manager), versions - 1.0, 10 allows an attacker to access information which would otherwise be restricted leading to information disclosure.
low complexity
sap
4.6
2020-03-10 CVE-2020-6178 Information Exposure vulnerability in SAP Enable NOW 10/1902/1908
SAP Enable Now, before version 1911, sends the Session ID cookie value in URL.
network
low complexity
sap CWE-200
5.4
2019-11-13 CVE-2019-0385 Cross-site Scripting vulnerability in SAP Enable NOW 10/1902
SAP Enable Now, before version 1908, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
network
low complexity
sap CWE-79
6.5
2019-08-14 CVE-2019-0340 XXE vulnerability in SAP Enable NOW 10
The XML parser, which is being used by SAP Enable Now, before version 1902, has not been hardened correctly, leading to Missing XML Validation vulnerability.
network
low complexity
sap CWE-611
5.4