Filtered by vendor Sap
Subscribe
Total
1426 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-6222 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2020-04-15 | 3.5 LOW | 5.4 MEDIUM |
| SAP Business Objects Business Intelligence Platform (Web Intelligence HTML interface), versions 4.1, 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2020-6216 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2020-04-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP Business Objects Business Intelligence Platform (BI Launchpad), version 4.2, does not sufficiently encode user-controlled inputs, resulting in reflected Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2020-6228 | 1 Sap | 1 Business Client | 2020-04-15 | 4.3 MEDIUM | 7.5 HIGH |
| SAP Business Client, versions 6.5, 7.0, does not perform necessary integrity checks which could be exploited by an attacker under certain conditions to modify the installer. | |||||
| CVE-2020-6226 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2020-04-15 | 3.5 LOW | 5.4 MEDIUM |
| SAP Business Objects Business Intelligence Platform (Web Intelligence HTML interface), version 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2020-6229 | 1 Sap | 1 Netweaver As Abap Business Server Pages | 2020-04-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP NetWeaver AS ABAP (Business Server Pages application CRM_BSP_FRAME), versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 75A, 75B, 75C, 75D, 75E, does not sufficiently encode user controlled inputs, resulting in reflected Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2020-6232 | 1 Sap | 1 Commerce Cloud | 2020-04-15 | 5.0 MEDIUM | 5.3 MEDIUM |
| SAP Commerce, versions 1811, 1905, does not perform necessary authorization checks for an anonymous user, due to Missing Authorization Check. This affects confidentiality of secure media. | |||||
| CVE-2020-6231 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2020-04-15 | 3.5 LOW | 5.4 MEDIUM |
| SAP Business Objects Business Intelligence Platform (Web Intelligence HTML interface), version 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2020-6233 | 1 Sap | 2 Banking Services From Sap, S\/4hana Financial Products Subledger | 2020-04-15 | 4.0 MEDIUM | 4.3 MEDIUM |
| SAP S/4 HANA (Financial Products Subledger and Banking Services), versions - FSAPPL 400, 450, 500 and S4FPSL 100, allows an authenticated user to run an analysis report due to Missing Authorization Check, resulting in slowing the system. | |||||
| CVE-2020-6211 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2020-04-15 | 5.8 MEDIUM | 6.1 MEDIUM |
| SAP Business Objects Business Intelligence Platform (AdminTools), versions 4.1, 4.2, allows an attacker to redirect users to a malicious site due to insufficient URL validation and steal credentials of the victim, leading to URL Redirection vulnerability. | |||||
| CVE-2020-6236 | 1 Sap | 2 Adaptive Extensions, Landscape Management | 2020-04-15 | 6.5 MEDIUM | 7.2 HIGH |
| SAP Landscape Management, version 3.0, and SAP Adaptive Extensions, version 1.0, allows an attacker with admin_group privileges to change ownership and permissions (including S-user ID bit s-bit) of arbitrary files remotely. This results in the possibility to execute these files as root user from a non-root context, leading to Privilege Escalation. | |||||
| CVE-2020-6199 | 1 Sap | 1 Erp | 2020-03-12 | 5.5 MEDIUM | 5.4 MEDIUM |
| The view FIMENAV_COMPCERT in SAP ERP (MENA Certificate Management), EAPPGLO version 607, SAP_FIN versions- 618, 730 and SAP S/4HANA (MENA Certificate Management), S4CORE versions- 100, 101, 102, 103, 104; does not have any authorization check to it due to which an attacker without an authorization group can maintain any company certificate, leading to Missing Authorization Check. | |||||
| CVE-2020-6204 | 1 Sap | 2 Treasury And Risk Management \(ea-finserv\), Treasury And Risk Management \(s4core\) | 2020-03-12 | 4.0 MEDIUM | 4.3 MEDIUM |
| The selection query in SAP Treasury and Risk Management (Transaction Management) (EA-FINSERV?versions 600, 603, 604, 605, 606, 616, 617, 618, 800 and S4CORE versions 101, 102, 103, 104) returns more records than it should be when selecting and displaying the contract number, leading to Missing Authorization Check. | |||||
| CVE-2020-6203 | 1 Sap | 1 Netweaver | 2020-03-12 | 6.4 MEDIUM | 9.1 CRITICAL |
| SAP NetWeaver UDDI Server (Services Registry), versions- 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing 'traverse to parent directory' are passed through to the file APIs, leading to Path Traversal. | |||||
| CVE-2020-6201 | 1 Sap | 1 Commerce Cloud | 2020-03-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| The SAP Commerce (Testweb Extension), versions- 6.6, 6.7, 1808, 1811, 1905, does not sufficiently encode user-controlled inputs, due to which certain GET URL parameters are reflected in the HTTP responses without escaping/sanitization, leading to Reflected Cross Site Scripting. | |||||
| CVE-2020-6206 | 1 Sap | 1 Cloud Platform Integration | 2020-03-12 | 4.3 MEDIUM | 4.3 MEDIUM |
| SAP Cloud Platform Integration for Data Services, version 1.0, allows user inputs to be reflected as error or warning massages. This could mislead the victim to follow malicious instructions inserted by external attackers, leading to Cross Site Request Forgery. | |||||
| CVE-2020-6197 | 1 Sap | 1 Enable Now | 2020-03-12 | 2.1 LOW | 3.3 LOW |
| SAP Enable Now, before version 1908, does not invalidate session tokens in a timely manner. The Insufficient Session Expiration may allow attackers with local access, for instance, to still download the portables. | |||||
| CVE-2020-6196 | 1 Sap | 1 Businessobjects Mobile | 2020-03-11 | 5.0 MEDIUM | 7.5 HIGH |
| SAP BusinessObjects Mobile (MobileBIService), version 4.2, allows an attacker to generate multiple requests, using which he can block all the threads resulting in a Denial of Service. | |||||
| CVE-2020-6210 | 1 Sap | 1 Fiori Launchpad | 2020-03-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP Fiori Launchpad, versions- 753, 754, does not sufficiently encode user-controlled inputs, and hence allowing the attacker to inject the meta tag into the launchpad html using the vulnerable parameter, leading to reflected Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2020-6200 | 1 Sap | 1 Commerce Cloud | 2020-03-11 | 3.5 LOW | 5.4 MEDIUM |
| The SAP Commerce (SmartEdit Extension), versions- 6.6, 6.7, 1808, 1811, is vulnerable to client-side angularjs template injection, a variant of Cross-Site-Scripting (XSS) that exploits the templating facilities of the angular framework. | |||||
| CVE-2015-7968 | 1 Sap | 1 Netweaver Application Server | 2020-03-10 | 4.0 MEDIUM | 4.3 MEDIUM |
| nwbc_ext2int in SAP NetWeaver Application Server before Security Note 2183189 allows XXE attacks for local file inclusion via the sap/bc/ui2/nwbc/nwbc_ext2int/ URI. | |||||