Filtered by vendor Sap
Subscribe
Total
1426 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-22540 | 1 Sap | 1 Netweaver Application Server Abap | 2022-10-05 | 5.0 MEDIUM | 7.5 HIGH |
| SAP NetWeaver AS ABAP (Workplace Server) - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 787, allows an attacker to execute crafted database queries, that could expose the backend database. Successful attacks could result in disclosure of a table of contents from the system, but no risk of modification possible. | |||||
| CVE-2022-35294 | 1 Sap | 1 Netweaver Application Server Abap | 2022-10-05 | N/A | 5.4 MEDIUM |
| An attacker with basic business user privileges could craft and upload a malicious file to SAP NetWeaver Application Server ABAP, which is then downloaded and viewed by other users resulting in a stored Cross-Site-Scripting attack. This could lead to information disclosure including stealing authentication information and impersonating the affected user. | |||||
| CVE-2020-6240 | 1 Sap | 1 Netweaver Application Server Abap | 2022-10-05 | 5.0 MEDIUM | 7.5 HIGH |
| SAP NetWeaver AS ABAP (Web Dynpro ABAP), versions (SAP_UI 750, 752, 753, 754 and SAP_BASIS 700, 710, 730, 731, 804) allows an unauthenticated attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service leading to Denial of Service | |||||
| CVE-2021-44231 | 1 Sap | 2 Abap Platform, Netweaver Application Server Abap | 2022-10-05 | 7.5 HIGH | 9.8 CRITICAL |
| Internally used text extraction reports allow an attacker to inject code that can be executed by the application. An attacker could thereby control the behavior of the application. | |||||
| CVE-2020-6310 | 1 Sap | 2 Abap Platform, Netweaver Application Server Abap | 2022-10-05 | 4.0 MEDIUM | 4.3 MEDIUM |
| Improper access control in SOA Configuration Trace component in SAP NetWeaver (ABAP Server) and ABAP Platform, versions - 702, 730, 731, 740, 750, allows any authenticated user to enumerate all SAP users, leading to Information Disclosure. | |||||
| CVE-2020-6275 | 1 Sap | 1 Netweaver Application Server Abap | 2022-10-05 | 6.8 MEDIUM | 9.8 CRITICAL |
| SAP Netweaver AS ABAP, versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, are vulnerable for Server Side Request Forgery Attack where in an attacker can use inappropriate path names containing malicious server names in the import/export of sessions functionality and coerce the web server into authenticating with the malicious server. Furthermore, if NTLM is setup the attacker can compromise confidentiality, integrity and availability of the SAP database. | |||||
| CVE-2019-0321 | 1 Sap | 2 Netweaver Application Server Abap, Netweaver As Abap | 2022-10-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| ABAP Server and ABAP Platform (SAP Basis), versions, 7.31, 7.4, 7.5, do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2022-35298 | 1 Sap | 1 Netweaver Enterprise Portal | 2022-10-01 | N/A | 6.1 MEDIUM |
| SAP NetWeaver Enterprise Portal (KMC) - version 7.50, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting vulnerability. KMC servlet is vulnerable to XSS attack. The execution of script content by a victim registered on the portal could compromise the confidentiality and integrity of victim’s web browser session. | |||||
| CVE-2022-39014 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2022-10-01 | N/A | 5.3 MEDIUM |
| Under certain conditions SAP BusinessObjects Business Intelligence Platform Central Management Console (CMC) - version 430, allows an attacker to access certain unencrypted sensitive parameters which would otherwise be restricted. | |||||
| CVE-2022-39801 | 1 Sap | 1 Access Control | 2022-10-01 | N/A | 7.5 HIGH |
| SAP GRC Access control Emergency Access Management allows an authenticated attacker to access a Firefighter session even after it is closed in Firefighter Logon Pad. This attack can be launched only within the firewall. On successful exploitation the attacker can gain access to admin session and completely compromise the application. | |||||
| CVE-2022-35292 | 1 Sap | 1 Business One | 2022-10-01 | N/A | 7.8 HIGH |
| In SAP Business One application when a service is created, the executable path contains spaces and isn’t enclosed within quotes, leading to a vulnerability known as Unquoted Service Path which allows a user to gain SYSTEM privileges. If the service is exploited by adversaries, it can be used to gain privileged permissions on a system or network leading to high impact on Confidentiality, Integrity, and Availability. | |||||
| CVE-2021-21468 | 1 Sap | 1 Business Warehouse | 2022-10-01 | 4.0 MEDIUM | 6.5 MEDIUM |
| The BW Database Interface does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges that allows the user to practically read out any database table. | |||||
| CVE-2021-21466 | 1 Sap | 2 Business Warehouse, Bw\/4hana | 2022-10-01 | 6.5 MEDIUM | 8.8 HIGH |
| SAP Business Warehouse, versions 700, 701, 702, 711, 730, 731, 740, 750, 782 and SAP BW/4HANA, versions 100, 200, allow a low privileged attacker to inject code using a remote enabled function module over the network. Via the function module an attacker can create a malicious ABAP report which could be used to get access to sensitive data, to inject malicious UPDATE statements that could have also impact on the operating system, to disrupt the functionality of the SAP system which can thereby lead to a Denial of Service. | |||||
| CVE-2022-22532 | 1 Sap | 1 Netweaver Application Server Java | 2022-09-30 | 7.5 HIGH | 9.8 CRITICAL |
| In SAP NetWeaver Application Server Java - versions KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC, 7.22, 7.22EXT, 7.49, 7.53, KERNEL 7.22, 7.49, 7.53, an unauthenticated attacker could submit a crafted HTTP server request which triggers improper shared memory buffer handling. This could allow the malicious payload to be executed and hence execute functions that could be impersonating the victim or even steal the victim's logon session. | |||||
| CVE-2022-32244 | 1 Sap | 1 Businessobjects Business Intelligence | 2022-09-20 | N/A | 5.2 MEDIUM |
| Under certain conditions an attacker authenticated as a CMS administrator access the BOE Commentary database and retrieve (non-personal) system data, modify system data but can't make the system unavailable. This needs the attacker to have high privilege access to the same physical/logical network to access information which would otherwise be restricted, leading to low impact on confidentiality and high impact on integrity of the application. | |||||
| CVE-2022-28213 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2022-09-09 | 5.5 MEDIUM | 8.1 HIGH |
| When a user access SOAP Web services in SAP BusinessObjects Business Intelligence Platform - version 420, 430, it does not sufficiently validate the XML document accepted from an untrusted source, which might result in arbitrary files retrieval from the server and in successful exploits of DoS. | |||||
| CVE-2022-35290 | 1 Sap | 1 Authenticator | 2022-08-15 | N/A | 7.5 HIGH |
| Under certain conditions SAP Authenticator for Android allows an attacker to access information which would otherwise be restricted. | |||||
| CVE-2022-35293 | 1 Sap | 1 Enable Now Manager | 2022-08-15 | N/A | 9.1 CRITICAL |
| Due to insecure session management, SAP Enable Now allows an unauthenticated attacker to gain access to user's account. On successful exploitation, an attacker can view or modify user data causing limited impact on confidentiality and integrity of the application. | |||||
| CVE-2022-35291 | 1 Sap | 1 Successfactors Mobile | 2022-08-02 | N/A | 8.1 HIGH |
| Due to misconfigured application endpoints, SAP SuccessFactors attachment APIs allow attackers with user privileges to perform activities with admin privileges over the network. These APIs were consumed in the SF Mobile application for Time Off, Time Sheet, EC Workflow, and Benefits. On successful exploitation, the attacker can read/write attachments. Thus, compromising the confidentiality and integrity of the application | |||||
| CVE-2022-32246 | 1 Sap | 1 Business Objects Business Intelligence Platform | 2022-07-20 | 4.9 MEDIUM | 4.6 MEDIUM |
| SAP Busines Objects Business Intelligence Platform (Visual Difference Application) - versions 420, 430, allows an authenticated attacker who has access to BI admin console to send crafted queries and extract data from the SQL backend. On successful exploitation, the attacker can cause limited impact on confidentiality and integrity of the application | |||||