Filtered by vendor Sap
Subscribe
Search
Total
292 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-6252 | 1 Sap | 1 Adaptive Server Enterprise Cockpit | 2021-07-21 | 5.2 MEDIUM | 8.0 HIGH |
| Under certain conditions SAP Adaptive Server Enterprise (Cockpit), version 16.0, allows an attacker with access to local network, to get sensitive and confidential information, leading to Information Disclosure. It can be used to get user account credentials, tamper with system data and impact system availability. | |||||
| CVE-2020-6240 | 1 Sap | 1 Netweaver As Abap | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| SAP NetWeaver AS ABAP (Web Dynpro ABAP), versions (SAP_UI 750, 752, 753, 754 and SAP_BASIS 700, 710, 730, 731, 804) allows an unauthenticated attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service leading to Denial of Service | |||||
| CVE-2020-6243 | 1 Sap | 1 Adaptive Server Enterprise | 2021-07-21 | 6.5 MEDIUM | 8.8 HIGH |
| Under certain conditions, SAP Adaptive Server Enterprise (XP Server on Windows Platform), versions 15.7, 16.0, does not perform the necessary checks for an authenticated user while executing the extended stored procedure, allowing an attacker to read, modify, delete restricted data on connected servers, leading to Code Injection. | |||||
| CVE-2020-6247 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| SAP Business Objects Business Intelligence Platform, version 4.2, allows an unauthenticated attacker to prevent legitimate users from accessing a service. Using a specially crafted request, the attacker can crash or flood the Central Management Server, thereby impacting system availability. | |||||
| CVE-2020-6248 | 1 Sap | 1 Adaptive Server Enterprise Backup Server | 2021-07-21 | 6.5 MEDIUM | 7.2 HIGH |
| SAP Adaptive Server Enterprise (Backup Server), version 16.0, does not perform the necessary validation checks for an authenticated user while executing DUMP or LOAD command allowing arbitrary code execution or Code Injection. | |||||
| CVE-2020-6227 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| SAP Business Objects Business Intelligence Platform (CMS / Auditing issues), version 4.2, allows attacker to send specially crafted GIOP packets to several services due to Improper Input Validation, allowing to forge additional entries in GLF log files. | |||||
| CVE-2020-26830 | 1 Sap | 1 Solution Manager | 2021-06-17 | 5.5 MEDIUM | 8.1 HIGH |
| SAP Solution Manager 7.2 (User Experience Monitoring), version - 7.2, does not perform necessary authorization checks for an authenticated user. Due to inadequate access control, a network attacker authenticated as a regular user can use operations which should be restricted to administrators. These operations can be used to Change the User Experience Monitoring configuration, obtain details about the configured SAP Solution Manager agents, Deploy a malicious User Experience Monitoring script. | |||||
| CVE-2021-27614 | 1 Sap | 2 Business-one-hana-chef-cookbook, Business One | 2021-05-21 | 3.6 LOW | 7.1 HIGH |
| SAP Business One Hana Chef Cookbook, versions - 8.82, 9.0, 9.1, 9.2, 9.3, 10.0, used to install SAP Business One on SAP HANA, allows an attacker to inject code that can be executed by the application. An attacker could thereby control the behaviour of the application thereby highly impacting the integrity and availability of the application. | |||||
| CVE-2021-21482 | 1 Sap | 1 Netweaver Master Data Management | 2021-04-21 | 4.8 MEDIUM | 8.3 HIGH |
| SAP NetWeaver Master Data Management, versions - 710, 710.750, allows a malicious unauthorized user with access to the MDM Server subnet to find the password using a brute force method. If successful, the attacker could obtain access to highly sensitive data and MDM administrative privileges leading to information disclosure vulnerability thereby affecting the confidentiality and integrity of the application. This happens when security guidelines and recommendations concerning administrative accounts of an SAP NetWeaver Master Data Management installation have not been thoroughly reviewed. | |||||
| CVE-2021-27608 | 1 Sap | 1 Setup | 2021-04-20 | 4.4 MEDIUM | 7.5 HIGH |
| An unquoted service path in SAPSetup, version - 9.0, could lead to privilege escalation during the installation process that is performed when an executable file is registered. This could further lead to complete compromise of confidentiality, Integrity and Availability. | |||||
| CVE-2016-9562 | 1 Sap | 1 Netweaver Application Server Java | 2021-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| SAP NetWeaver AS JAVA 7.4 allows remote attackers to cause a Denial of Service (null pointer exception and icman outage) via an HTTPS request to the sap.com~P4TunnelingApp!web/myServlet URI, aka SAP Security Note 2313835. | |||||
| CVE-2017-8913 | 1 Sap | 1 Netweaver Application Server Java | 2021-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| The Visual Composer VC70RUNTIME component in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML External Entity (XXE) attacks via a crafted XML document in a request to irj/servlet/prt/portal/prtroot/com.sap.visualcomposer.BIKit.default, aka SAP Security Note 2386873. | |||||
| CVE-2017-12637 | 1 Sap | 1 Netweaver Application Server Java | 2021-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| Directory traversal vulnerability in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS in SAP NetWeaver Application Server Java 7.5 allows remote attackers to read arbitrary files via a .. (dot dot) in the query string, as exploited in the wild in August 2017, aka SAP Security Note 2486657. | |||||
| CVE-2017-14581 | 1 Sap | 1 Netweaver Application Server Java | 2021-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| The Host Control web service in SAP NetWeaver AS JAVA 7.0 through 7.5 allows remote attackers to cause a denial of service (service crash) via a crafted request, aka SAP Security Note 2389181. | |||||
| CVE-2018-2492 | 1 Sap | 1 Netweaver Application Server Java | 2021-04-20 | 5.5 MEDIUM | 7.1 HIGH |
| SAML 2.0 functionality in SAP NetWeaver AS Java, does not sufficiently validate XML documents received from an untrusted source. This is fixed in versions 7.2, 7.30, 7.31, 7.40 and 7.50. | |||||
| CVE-2017-7717 | 1 Sap | 1 Netweaver Application Server Java | 2021-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| SQL injection vulnerability in the getUserUddiElements method in the ES UDDI component in SAP NetWeaver AS Java 7.4 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2356504. | |||||
| CVE-2015-8840 | 1 Sap | 1 Netweaver Application Server Java | 2021-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| The XML Data Archiving Service (XML DAS) in SAP NetWeaver AS Java does not check authorization, which allows remote authenticated users to obtain sensitive information, gain privileges, or possibly have unspecified other impact via requests to (1) webcontent/cas/cas_enter.jsp, (2) webcontent/cas/cas_validate.jsp, or (3) webcontent/aas/aas_store.jsp, aka SAP Security Note 1945215. | |||||
| CVE-2021-27588 | 1 Sap | 1 3d Visual Enterprise Viewer | 2021-03-25 | 6.8 MEDIUM | 7.8 HIGH |
| When a user opens manipulated HPGL format files received from untrusted sources in SAP 3D Visual Enterprise Viewer version 9, the application crashes and becomes temporarily unavailable to the user until restart of the application. | |||||
| CVE-2021-27586 | 1 Sap | 1 3d Visual Enterprise Viewer | 2021-03-25 | 6.8 MEDIUM | 7.8 HIGH |
| When a user opens manipulated Interchange File Format (.IFF) format files received from untrusted sources in SAP 3D Visual Enterprise Viewer version 9, the application crashes and becomes temporarily unavailable to the user until restart of the application. | |||||
| CVE-2021-27587 | 1 Sap | 1 3d Visual Enterprise Viewer | 2021-03-25 | 6.8 MEDIUM | 7.8 HIGH |
| When a user opens manipulated Jupiter Tessellation (.JT) format files received from untrusted sources in SAP 3D Visual Enterprise Viewer version 9, the application crashes and becomes temporarily unavailable to the user until restart of the application. | |||||
| CVE-2021-27589 | 1 Sap | 1 3d Visual Enterprise Viewer | 2021-03-25 | 6.8 MEDIUM | 7.8 HIGH |
| When a user opens manipulated Scalable Vector Graphics (.SVG) format files received from untrusted sources in SAP 3D Visual Enterprise Viewer version 9, the application crashes and becomes temporarily unavailable to the user until restart of the application. | |||||
| CVE-2021-27591 | 1 Sap | 1 3d Visual Enterprise Viewer | 2021-03-25 | 6.8 MEDIUM | 7.8 HIGH |
| When a user opens manipulated Portable Document Format (.PDF) format files received from untrusted sources in SAP 3D Visual Enterprise Viewer version 9, the application crashes and becomes temporarily unavailable to the user until restart of the application. | |||||
| CVE-2021-27592 | 1 Sap | 1 3d Visual Enterprise Viewer | 2021-03-25 | 6.8 MEDIUM | 7.8 HIGH |
| When a user opens manipulated Universal 3D (.U3D) files received from untrusted sources in SAP 3D Visual Enterprise Viewer, the application crashes and becomes temporarily unavailable to the user until restart of the application. | |||||
| CVE-2021-27590 | 1 Sap | 1 3d Visual Enterprise Viewer | 2021-03-25 | 6.8 MEDIUM | 7.8 HIGH |
| When a user opens manipulated Tag Image File Format (.TIFF) format files received from untrusted sources in SAP 3D Visual Enterprise Viewer version 9, the application crashes and becomes temporarily unavailable to the user until restart of the application. | |||||
| CVE-2021-27585 | 1 Sap | 1 3d Visual Enterprise Viewer | 2021-03-25 | 6.8 MEDIUM | 7.8 HIGH |
| When a user opens manipulated Computer Graphics Metafile (.CGM) format files received from untrusted sources in SAP 3D Visual Enterprise Viewer version 9, the application crashes and becomes temporarily unavailable to the user until restart of the application. | |||||
| CVE-2021-21487 | 1 Sap | 1 Payment Engine | 2021-03-16 | 6.5 MEDIUM | 8.8 HIGH |
| SAP Payment Engine version 500, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. | |||||
| CVE-2021-21486 | 1 Sap | 1 Enterprise Financial Services | 2021-03-16 | 6.5 MEDIUM | 8.8 HIGH |
| SAP Enterprise Financial Services versions, 101, 102, 103, 104, 105, 600, 603, 604, 605, 606, 616, 617, 618, 800, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. | |||||
| CVE-2021-21481 | 1 Sap | 1 Netweaver | 2021-03-16 | 8.3 HIGH | 8.8 HIGH |
| The MigrationService, which is part of SAP NetWeaver versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not perform an authorization check. This might allow an unauthorized attacker to access configuration objects, including such that grant administrative privileges. This could result in complete compromise of system confidentiality, integrity, and availability. | |||||
| CVE-2021-21446 | 1 Sap | 1 Netweaver As Abap | 2021-02-24 | 5.0 MEDIUM | 7.5 HIGH |
| SAP NetWeaver AS ABAP, versions 740, 750, 751, 752, 753, 754, 755, allows an unauthenticated attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service, this has a high impact on the availability of the service. | |||||
| CVE-2021-21449 | 1 Sap | 1 3d Visual Enterprise Viewer | 2021-02-19 | 6.8 MEDIUM | 8.8 HIGH |
| SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated IFF file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation. | |||||
| CVE-2021-21451 | 1 Sap | 1 3d Visual Enterprise Viewer | 2021-02-19 | 6.8 MEDIUM | 8.8 HIGH |
| SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated SGI file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation. | |||||
| CVE-2021-21450 | 1 Sap | 1 3d Visual Enterprise Viewer | 2021-02-19 | 6.8 MEDIUM | 8.8 HIGH |
| SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated PSD file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation. | |||||
| CVE-2021-21454 | 1 Sap | 1 3d Visual Enterprise Viewer | 2021-02-19 | 6.8 MEDIUM | 8.8 HIGH |
| SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated RLE file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation. | |||||
| CVE-2021-21453 | 1 Sap | 1 3d Visual Enterprise Viewer | 2021-02-19 | 6.8 MEDIUM | 8.8 HIGH |
| SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated RLE file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation. | |||||
| CVE-2021-21452 | 1 Sap | 1 3d Visual Enterprise Viewer | 2021-02-19 | 6.8 MEDIUM | 8.8 HIGH |
| SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated GIF file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation. | |||||
| CVE-2021-21457 | 1 Sap | 1 3d Visual Enterprise Viewer | 2021-02-19 | 6.8 MEDIUM | 8.8 HIGH |
| SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated IFF file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation. | |||||
| CVE-2021-21456 | 1 Sap | 1 3d Visual Enterprise Viewer | 2021-02-19 | 6.8 MEDIUM | 8.8 HIGH |
| SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated DIB file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation. | |||||
| CVE-2021-21455 | 1 Sap | 1 3d Visual Enterprise Viewer | 2021-02-19 | 6.8 MEDIUM | 8.8 HIGH |
| SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated DIB file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation. | |||||
| CVE-2021-21458 | 1 Sap | 1 3d Visual Enterprise Viewer | 2021-02-19 | 6.8 MEDIUM | 8.8 HIGH |
| SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated IFF file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation. | |||||
| CVE-2021-21459 | 1 Sap | 1 3d Visual Enterprise Viewer | 2021-02-19 | 6.8 MEDIUM | 8.8 HIGH |
| SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated IFF file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation. | |||||
| CVE-2021-21462 | 1 Sap | 1 3d Visual Enterprise Viewer | 2021-02-19 | 6.8 MEDIUM | 8.8 HIGH |
| SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated PCX file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation. | |||||
| CVE-2021-21463 | 1 Sap | 1 3d Visual Enterprise Viewer | 2021-02-19 | 6.8 MEDIUM | 8.8 HIGH |
| SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated PCX file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation. | |||||
| CVE-2021-21460 | 1 Sap | 1 3d Visual Enterprise Viewer | 2021-02-19 | 6.8 MEDIUM | 8.8 HIGH |
| SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated DIB file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation. | |||||
| CVE-2021-21461 | 1 Sap | 1 3d Visual Enterprise Viewer | 2021-02-19 | 6.8 MEDIUM | 8.8 HIGH |
| SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated BMP file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation. | |||||
| CVE-2021-21475 | 1 Sap | 1 Netweaver Master Data Management Server | 2021-02-16 | 5.0 MEDIUM | 7.5 HIGH |
| Under specific circumstances SAP Master Data Management, versions - 710, 710.750, allows an unauthorized attacker to exploit insufficient validation of path information provided by users, thus characters representing 'traverse to parent directory' are passed through to the file APIs. Due to this Directory Traversal vulnerability the attacker could read content of arbitrary files on the remote server and expose sensitive data. | |||||
| CVE-2021-21469 | 1 Sap | 1 Netweaver Master Data Management | 2021-02-11 | 5.0 MEDIUM | 7.5 HIGH |
| When security guidelines for SAP NetWeaver Master Data Management running on windows have not been thoroughly reviewed, it might be possible for an external operator to try and set custom paths in the MDS server configuration. When no adequate protection has been enforced on any level (e.g., MDS Server password not set, network and OS configuration not properly secured, etc.), a malicious user might define UNC paths which could then be exploited to put the system at risk using a so-called SMB relay attack and obtain highly sensitive data, which leads to Information Disclosure. | |||||
| CVE-2020-26815 | 1 Sap | 1 Fiori Launchpad \(news Tile Application\) | 2020-11-24 | 5.0 MEDIUM | 8.6 HIGH |
| SAP Fiori Launchpad (News tile Application), versions - 750,751,752,753,754,755, allows an unauthorized attacker to send a crafted request to a vulnerable web application. It is usually used to target internal systems behind firewalls that are normally inaccessible to an attacker from the external network to retrieve sensitive / confidential resources which are otherwise restricted for internal usage only, resulting in a Server-Side Request Forgery vulnerability. | |||||
| CVE-2020-26810 | 1 Sap | 1 Commerce Cloud \(accelerator Payment Mock\) | 2020-11-23 | 5.0 MEDIUM | 7.5 HIGH |
| SAP Commerce Cloud (Accelerator Payment Mock), versions - 1808, 1811, 1905, 2005, allows an unauthenticated attacker to submit a crafted request over a network to a particular SAP Commerce module URL which will be processed without further interaction, the crafted request can render the SAP Commerce service itself unavailable leading to Denial of Service with no impact on confidentiality or integrity. | |||||
| CVE-2018-2446 | 1 Sap | 1 Businessobjects Business Intelligence | 2020-09-29 | 5.0 MEDIUM | 7.5 HIGH |
| Admin tools in SAP BusinessObjects Business Intelligence, versions 4.1, 4.2, allow an unauthenticated user to read sensitive information (server name), hence leading to an information disclosure. | |||||
| CVE-2020-6302 | 1 Sap | 1 Commerce | 2020-09-10 | 7.5 HIGH | 8.1 HIGH |
| SAP Commerce versions 6.7, 1808, 1811, 1905, 2005 contains the jSession ID in the backoffice URL when the application is loaded initially. An attacker can get this session ID via shoulder surfing or man in the middle attack and subsequently get access to admin user accounts, leading to Session Fixation and complete compromise of the confidentiality, integrity and availability of the application. | |||||