Filtered by vendor Sap
Subscribe
Total
1426 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-28765 | 1 Sap | 1 Businessobjects Business Intelligence | 2023-04-14 | N/A | 9.8 CRITICAL |
| An attacker with basic privileges in SAP BusinessObjects Business Intelligence Platform (Promotion Management) - versions 420, 430, can get access to lcmbiar file and further decrypt the file. After this attacker can gain access to BI user’s passwords and depending on the privileges of the BI user, the attacker can perform operations that can completely compromise the application. | |||||
| CVE-2023-28763 | 1 Sap | 1 Netweaver Application Server Abap | 2023-04-14 | N/A | 6.5 MEDIUM |
| SAP NetWeaver AS for ABAP and ABAP Platform - versions 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, allows an attacker authenticated as a non-administrative user to craft a request with certain parameters which can consume the server's resources sufficiently to make it unavailable over the network without any user interaction. | |||||
| CVE-2023-28761 | 1 Sap | 1 Netweaver Enterprise Portal | 2023-04-14 | N/A | 6.5 MEDIUM |
| In SAP NetWeaver Enterprise Portal - version 7.50, an unauthenticated attacker can attach to an open interface and make use of an open API to access a service which will enable them to access or modify server settings and data, leading to limited impact on confidentiality and integrity. | |||||
| CVE-2023-27897 | 1 Sap | 1 Customer Relationship Management | 2023-04-14 | N/A | 6.3 MEDIUM |
| In SAP CRM - versions 700, 701, 702, 712, 713, an attacker who is authenticated with a non-administrative role and a common remote execution authorization can use a vulnerable interface to execute an application function to perform actions which they would not normally be permitted to perform. Depending on the function executed, the attack can can have limited impact on confidentiality and integrity of non-critical user or application data and application availability. | |||||
| CVE-2023-27267 | 1 Sap | 1 Diagnostics Agent | 2023-04-14 | N/A | 8.1 HIGH |
| Due to missing authentication and insufficient input validation, the OSCommand Bridge of SAP Diagnostics Agent - version 720, allows an attacker with deep knowledge of the system to execute scripts on all connected Diagnostics Agents. On successful exploitation, the attacker can completely compromise confidentiality, integrity and availability of the system. | |||||
| CVE-2023-26458 | 1 Sap | 1 Landscape Management | 2023-04-14 | N/A | 8.7 HIGH |
| An information disclosure vulnerability exists in SAP Landscape Management - version 3.0, enterprise edition. It allows an authenticated SAP Landscape Management user to obtain privileged access to other systems making those other systems vulnerable to information disclosure and modification.The disclosed information is for Diagnostics Agent Connection via Java SCS Message Server of an SAP Solution Manager system and can only be accessed by authenticated SAP Landscape Management users, but they can escalate their privileges to the SAP Solution Manager system. | |||||
| CVE-2023-24527 | 1 Sap | 1 Netweaver As Java For Deploy Service | 2023-04-14 | N/A | 5.3 MEDIUM |
| SAP NetWeaver AS Java for Deploy Service - version 7.5, does not perform any access control checks for functionalities that require user identity enabling an unauthenticated attacker to attach to an open interface and make use of an open naming and directory API to access a service which will enable them to access but not modify server settings and data with no effect on availability and integrity. | |||||
| CVE-2023-25618 | 1 Sap | 1 Netweaver Application Server Abap | 2023-04-11 | N/A | 6.5 MEDIUM |
| SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, has multiple vulnerabilities in an unused class for error handling in which an attacker authenticated as a non-administrative user can craft a request with certain parameters which will consume the server's resources sufficiently to make it unavailable. There is no ability to view or modify any information. | |||||
| CVE-2023-25617 | 1 Sap | 1 Business Objects Business Intelligence Platform | 2023-04-11 | N/A | 8.8 HIGH |
| SAP Business Object (Adaptive Job Server) - versions 420, 430, allows remote execution of arbitrary commands on Unix, when program objects execution is enabled, to authenticated users with scheduling rights, using the BI Launchpad, Central Management Console or a custom application based on the public java SDK. Programs could impact the confidentiality, integrity and availability of the system. | |||||
| CVE-2023-25616 | 1 Sap | 1 Business Objects Business Intelligence Platform | 2023-04-11 | N/A | 8.8 HIGH |
| In some scenario, SAP Business Objects Business Intelligence Platform (CMC) - versions 420, 430, Program Object execution can lead to code injection vulnerability which could allow an attacker to gain access to resources that are allowed by extra privileges. Successful attack could highly impact the confidentiality, Integrity, and Availability of the system. | |||||
| CVE-2023-25615 | 1 Sap | 1 Abap Platform | 2023-04-11 | N/A | 4.9 MEDIUM |
| Due to insufficient input sanitization, SAP ABAP - versions 751, 753, 753, 754, 756, 757, 791, allows an authenticated high privileged user to alter the current session of the user by injecting the malicious database queries over the network and gain access to the unintended data. This may lead to a high impact on the confidentiality and no impact on the availability and integrity of the application. | |||||
| CVE-2023-25614 | 1 Sap | 1 Netweaver Application Server Abap | 2023-04-11 | N/A | 6.1 MEDIUM |
| SAP NetWeaver AS ABAP (BSP Framework) application - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, allow an unauthenticated attacker to inject the code that can be executed by the application over the network. On successful exploitation it can gain access to the sensitive information which leads to a limited impact on the confidentiality and the integrity of the application. | |||||
| CVE-2023-24530 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2023-04-11 | N/A | 9.1 CRITICAL |
| SAP BusinessObjects Business Intelligence Platform (CMC) - versions 420, 430, allows an authenticated admin user to upload malicious code that can be executed by the application over the network. On successful exploitation, attacker can perform operations that may completely compromise the application causing high impact on confidentiality, integrity and availability of the application. | |||||
| CVE-2023-24529 | 1 Sap | 1 Netweaver As Abap Business Server Pages | 2023-04-11 | N/A | 6.1 MEDIUM |
| Due to lack of proper input validation, BSP application (CRM_BSP_FRAME) - versions 700, 701, 702, 731, 740, 750, 751, 752, 75C, 75D, 75E, 75F, 75G, 75H, allow malicious inputs from untrusted sources, which can be leveraged by an attacker to execute a Reflected Cross-Site Scripting (XSS) attack. As a result, an attacker may be able to hijack a user session, read and modify some sensitive information. | |||||
| CVE-2023-24528 | 1 Sap | 1 Fiori | 2023-04-11 | N/A | 6.5 MEDIUM |
| SAP Fiori apps for Travel Management in SAP ERP (My Travel Requests) - version 600, allows an authenticated attacker to exploit a certain misconfigured application endpoint to view sensitive data. This endpoint is normally exposed over the network and successful exploitation can lead to exposure of data like travel documents. | |||||
| CVE-2023-24526 | 1 Sap | 1 Netweaver Application Server Java | 2023-04-11 | N/A | 5.3 MEDIUM |
| SAP NetWeaver Application Server Java for Classload Service - version 7.50, does not perform any authentication checks for functionalities that require user identity, resulting in escalation of privileges. This failure has a low impact on confidentiality of the data such that an unassigned user can read non-sensitive server data. | |||||
| CVE-2023-24525 | 1 Sap | 2 Customer Relationship Management Webclient Ui, S4fnd | 2023-04-11 | N/A | 5.4 MEDIUM |
| SAP CRM WebClient UI - versions WEBCUIF 748, 800, 801, S4FND 102, 103, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. On successful exploitation an authenticated attacker can cause limited impact on confidentiality of the application. | |||||
| CVE-2023-24524 | 1 Sap | 1 S\/4hana | 2023-04-11 | N/A | 6.5 MEDIUM |
| SAP S/4 HANA Map Treasury Correspondence Format Data does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges. This could allow an attacker to delete the data with a high impact to availability. | |||||
| CVE-2023-24522 | 1 Sap | 1 Netweaver Application Server Abap | 2023-04-11 | N/A | 6.1 MEDIUM |
| Due to insufficient input sanitization, SAP NetWeaver AS ABAP (Business Server Pages) - versions 700, 701, 702, 731, 740, allows an unauthenticated user to alter the current session of the user by injecting the malicious code over the network and gain access to the unintended data. This may lead to a limited impact on the confidentiality and the integrity of the application. | |||||
| CVE-2023-24521 | 1 Sap | 1 Netweaver As Abap Business Server Pages | 2023-04-11 | N/A | 6.1 MEDIUM |
| Due to insufficient input sanitization, SAP NetWeaver AS ABAP (BSP Framework) - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, allows an unauthenticated user to alter the current session of the user by injecting the malicious code over the network and gain access to the unintended data. This may lead to a limited impact on the confidentiality and the integrity of the application. | |||||