Filtered by vendor Sap
Subscribe
Total
1426 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2020-6237 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
Under certain conditions, SAP Business Objects Business Intelligence Platform, version 4.1, 4.2, dswsbobje web application allows an attacker to access information which would otherwise be restricted, leading to Information Disclosure. | |||||
CVE-2020-26829 | 1 Sap | 1 Netweaver Application Server Java | 2021-07-21 | 9.0 HIGH | 10.0 CRITICAL |
SAP NetWeaver AS JAVA (P2P Cluster Communication), versions - 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows arbitrary connections from processes because of missing authentication check, that are outside the cluster and even outside the network segment dedicated for the internal cluster communication. As result, an unauthenticated attacker can invoke certain functions that would otherwise be restricted to system administrators only, including access to system administration functions or shutting down the system completely. | |||||
CVE-2019-0308 | 1 Sap | 1 E-commerce | 2021-07-21 | 3.5 LOW | 6.8 MEDIUM |
An authenticated attacker in SAP E-Commerce (Business-to-Consumer application), versions 7.3, 7.31, 7.32, 7.33, 7.54, can change the price of the product to zero and also checkout, by injecting an HTML code in the application that will be executed whenever the victim logs in to the application even on a different machine, leading to Code Injection. | |||||
CVE-2020-6373 | 1 Sap | 1 3d Visual Enterprise Viewer | 2021-07-21 | 6.8 MEDIUM | 7.8 HIGH |
SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated PDF file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation. | |||||
CVE-2020-26816 | 1 Sap | 1 Netweaver Application Server Java | 2021-07-21 | 2.7 LOW | 4.5 MEDIUM |
SAP AS JAVA (Key Storage Service), versions - 7.10, 7.11, 7.20 ,7.30, 7.31, 7.40, 7.50, has the key material which is stored in the SAP NetWeaver AS Java Key Storage service stored in the database in the DER encoded format and is not encrypted. This enables an attacker who has administrator access to the SAP NetWeaver AS Java to decode the keys because of missing encryption and get some application data and client credentials of adjacent systems. This highly impacts Confidentiality as information disclosed could contain client credentials of adjacent systems. | |||||
CVE-2020-6230 | 1 Sap | 1 Orientdb | 2021-07-21 | 6.5 MEDIUM | 7.2 HIGH |
SAP OrientDB, version 3.0, allows an authenticated attacker with script execute/write permissions to inject code that can be executed by the application and lead to Code Injection. An attacker could thereby control the behavior of the application. | |||||
CVE-2020-6251 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2021-07-21 | 5.0 MEDIUM | 6.5 MEDIUM |
Under certain conditions or error scenarios SAP Business Objects Business Intelligence Platform, version 4.2, allows an attacker to access information which would otherwise be restricted. | |||||
CVE-2020-6313 | 1 Sap | 1 Netweaver Application Server Java | 2021-07-21 | 4.0 MEDIUM | 6.5 MEDIUM |
SAP NetWeaver Application Server JAVA(XML Forms) versions 7.30, 7.31, 7.40, 7.50 does not sufficiently encode user controlled inputs, which allows an authenticated User with special roles to store malicious content, that when accessed by a victim, can perform malicious actions by executing JavaScript, leading to Stored Cross-Site Scripting. | |||||
CVE-2020-6295 | 1 Sap | 1 Adaptive Server Enterprise | 2021-07-21 | 4.6 MEDIUM | 7.8 HIGH |
Under certain conditions the SAP Adaptive Server Enterprise, version 16.0, allows an attacker to access encrypted sensitive and confidential information through publicly readable installation log files leading to a compromise of the installed Cockpit. This compromise could enable the attacker to view, modify and/or make unavailable any data associated with the Cockpit, leading to Information Disclosure. | |||||
CVE-2020-6264 | 1 Sap | 1 Commerce | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
SAP Commerce, versions - 6.7, 1808, 1811, 1905, may allow an attacker to access information under certain conditions which would otherwise be restricted, leading to Information Disclosure. | |||||
CVE-2020-26821 | 1 Sap | 1 Solution Manager | 2021-07-21 | 6.4 MEDIUM | 10.0 CRITICAL |
SAP Solution Manager (JAVA stack), version - 7.20, allows an unauthenticated attacker to compromise the system because of missing authorization checks in the SVG Converter Service, this has an impact to the integrity and availability of the service. | |||||
CVE-2020-6224 | 1 Sap | 1 Netweaver Application Server Java | 2021-07-21 | 3.5 LOW | 6.2 MEDIUM |
SAP NetWeaver AS Java (HTTP Service), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker with administrator privileges to access user sensitive data such as passwords in trace files, when the user logs in and sends request with login credentials, leading to Information Disclosure. | |||||
CVE-2020-6307 | 1 Sap | 1 Basis | 2021-07-21 | 4.0 MEDIUM | 4.3 MEDIUM |
Automated Note Search Tool (update provided in SAP Basis 7.0, 7.01, 7.02, 7.31, 7.4, 7.5, 7.51, 7.52, 7.53 and 7.54) does not perform sufficient authorization checks leading to the reading of sensitive information. | |||||
CVE-2020-6248 | 1 Sap | 1 Adaptive Server Enterprise Backup Server | 2021-07-21 | 6.5 MEDIUM | 7.2 HIGH |
SAP Adaptive Server Enterprise (Backup Server), version 16.0, does not perform the necessary validation checks for an authenticated user while executing DUMP or LOAD command allowing arbitrary code execution or Code Injection. | |||||
CVE-2020-6320 | 1 Sap | 1 Marketing | 2021-07-21 | 5.5 MEDIUM | 8.1 HIGH |
SAP Marketing (Servlet), version-130,140,150, allows an authenticated attacker to invoke certain functions that are restricted. Limited knowledge of payload is required for an attacker to exploit the vulnerability and perform tasks related to contact and interaction data which impacts Confidentiality and Integrity of data in the application. | |||||
CVE-2020-6227 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
SAP Business Objects Business Intelligence Platform (CMS / Auditing issues), version 4.2, allows attacker to send specially crafted GIOP packets to several services due to Improper Input Validation, allowing to forge additional entries in GLF log files. | |||||
CVE-2020-6178 | 1 Sap | 1 Enable Now | 2021-07-21 | 5.5 MEDIUM | 5.4 MEDIUM |
SAP Enable Now, before version 1911, sends the Session ID cookie value in URL. This might be stolen from the browser history or log files, leading to Information Disclosure. | |||||
CVE-2020-26822 | 1 Sap | 1 Solution Manager | 2021-07-21 | 6.4 MEDIUM | 10.0 CRITICAL |
SAP Solution Manager (JAVA stack), version - 7.20, allows an unauthenticated attacker to compromise the system because of missing authorization checks in the Outside Discovery Configuration Service, this has an impact to the integrity and availability of the service. | |||||
CVE-2019-0304 | 1 Sap | 5 Advanced Business Application Programming Platform Kernel, Advanced Business Application Programming Platform Krnl32nuc, Advanced Business Application Programming Platform Krnl32uc and 2 more | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
FTP Function of SAP NetWeaver AS ABAP Platform, versions- KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.73, KERNEL 7.21, 7.45, 7.49, 7.53, 7.73, allows an attacker to inject code or specifically manipulated command that can be executed by the application. An attacker could thereby control the behaviour of the application. | |||||
CVE-2020-6198 | 1 Sap | 1 Solution Manager | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
SAP Solution Manager (Diagnostics Agent), version 720, allows unencrypted connections from unauthenticated sources. This allows an attacker to control all remote functions on the Agent due to Missing Authentication Check. |