Filtered by vendor Sap
Subscribe
Search
Total
292 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-6209 | 1 Sap | 1 Disclosure Management | 2020-04-24 | 6.0 MEDIUM | 7.5 HIGH |
| SAP Disclosure Management, version 10.1, does not perform necessary authorization checks for an authenticated user, allowing access to administration accounts by a user with no roles, leading to Missing Authorization Check. | |||||
| CVE-2020-6225 | 1 Sap | 2 Netweaver Knowledge Management And Collaboration \(kmc-cm\), Netweaver Knowledge Management And Collaboration \(kmc-wpc\) | 2020-04-15 | 6.5 MEDIUM | 8.8 HIGH |
| SAP NetWeaver (Knowledge Management), versions (KMC-CM - 7.00, 7.01, 7.02, 7.30, 7.31, 7.40, 7.50 and KMC-WPC 7.30, 7.31, 7.40, 7.50), does not sufficiently validate path information provided by users, thus characters representing traverse to parent directory are passed through to the file APIs, allowing the attacker to overwrite, delete, or corrupt arbitrary files on the remote server, leading to Path Traversal. | |||||
| CVE-2020-6219 | 1 Sap | 2 Businessobjects Business Intelligence Platform, Crystal Reports For Visual Studio | 2020-04-15 | 6.5 MEDIUM | 8.8 HIGH |
| SAP Business Objects Business Intelligence Platform (CrystalReports WebForm Viewer), versions 4.1, 4.2, and Crystal Reports for VS version 2010, allows an attacker with basic authorization to perform deserialization attack in the application, leading to service interruptions and denial of service and unauthorized execution of arbitrary commands, leading to Deserialization of Untrusted Data. | |||||
| CVE-2020-6228 | 1 Sap | 1 Business Client | 2020-04-15 | 4.3 MEDIUM | 7.5 HIGH |
| SAP Business Client, versions 6.5, 7.0, does not perform necessary integrity checks which could be exploited by an attacker under certain conditions to modify the installer. | |||||
| CVE-2020-6236 | 1 Sap | 2 Adaptive Extensions, Landscape Management | 2020-04-15 | 6.5 MEDIUM | 7.2 HIGH |
| SAP Landscape Management, version 3.0, and SAP Adaptive Extensions, version 1.0, allows an attacker with admin_group privileges to change ownership and permissions (including S-user ID bit s-bit) of arbitrary files remotely. This results in the possibility to execute these files as root user from a non-root context, leading to Privilege Escalation. | |||||
| CVE-2020-6196 | 1 Sap | 1 Businessobjects Mobile | 2020-03-11 | 5.0 MEDIUM | 7.5 HIGH |
| SAP BusinessObjects Mobile (MobileBIService), version 4.2, allows an attacker to generate multiple requests, using which he can block all the threads resulting in a Denial of Service. | |||||
| CVE-2020-6188 | 1 Sap | 2 Erp, S\/4 Hana | 2020-02-19 | 6.5 MEDIUM | 8.8 HIGH |
| VAT Pro-Rata reports in SAP ERP (SAP_APPL versions 600, 602, 603, 604, 605, 606, 616 and SAP_FIN versions 617, 618, 700, 720, 730) and SAP S/4 HANA (versions 100, 101, 102, 103, 104) do not perform necessary authorization checks for an authenticated user leading to Missing Authorization Check. | |||||
| CVE-2020-6186 | 1 Sap | 1 Host Agent | 2020-02-19 | 5.0 MEDIUM | 7.5 HIGH |
| SAP Host Agent, version 7.21, allows an attacker to cause a slowdown in processing of username/password-based authentication requests of the SAP Host Agent, leading to Denial of Service. | |||||
| CVE-2020-6192 | 1 Sap | 1 Landscape Management | 2020-02-19 | 9.0 HIGH | 7.2 HIGH |
| SAP Landscape Management, version 3.0, allows an attacker with admin privileges to execute malicious commands with root privileges in SAP Host Agent via SAP Landscape Management. | |||||
| CVE-2020-6191 | 1 Sap | 1 Landscape Management | 2020-02-19 | 9.0 HIGH | 7.2 HIGH |
| SAP Landscape Management, version 3.0, allows an attacker with admin privileges to execute malicious executables with root privileges in SAP Host Agent via SAP Landscape Management due to Missing Input Validation. | |||||
| CVE-2013-1593 | 1 Sap | 1 Netweaver | 2020-01-31 | 5.0 MEDIUM | 7.5 HIGH |
| A Denial of Service vulnerability exists in the WRITE_C function in the msg_server.exe module in SAP NetWeaver 2004s, 7.01 SR1, 7.02 SP06, and 7.30 SP04 when sending a crafted SAP Message Server packet to TCP ports 36NN and/or 39NN. | |||||
| CVE-2020-6304 | 1 Sap | 5 Netweaver Internet Communication Manager \(kernel\), Netweaver Internet Communication Manager \(krnl32nuc\), Netweaver Internet Communication Manager \(krnl32uc\) and 2 more | 2020-01-24 | 5.0 MEDIUM | 7.5 HIGH |
| Improper input validation in SAP NetWeaver Internet Communication Manager (update provided in KRNL32NUC & KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT KRNL64NUC & KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49 KERNEL 7.21, 7.49, 7.53) allows an attacker to prevent users from accessing its services through a denial of service. | |||||
| CVE-2019-0383 | 1 Sap | 2 Enterprise Extension Financial Services, Treasury And Risk Management \(s4core\) | 2019-12-20 | 6.5 MEDIUM | 8.8 HIGH |
| Transaction Management in SAP Treasury and Risk Management (corrected in S4CORE versions 1.01, 1.02, 1.03, 1.04 and EA-FINSERV versions 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. | |||||
| CVE-2019-0384 | 1 Sap | 2 Enterprise Extension Financial Services, Treasury And Risk Management \(s4core\) | 2019-12-20 | 6.5 MEDIUM | 8.8 HIGH |
| Transaction Management in SAP Treasury and Risk Management (corrected in S4CORE versions 1.01, 1.02, 1.03, 1.04 and EA-FINSERV versions 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0) does not perform necessary authorization checks for functionalities that require user identity. | |||||
| CVE-2019-0398 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2019-12-17 | 6.8 MEDIUM | 8.8 HIGH |
| Due to insufficient CSRF protection, SAP BusinessObjects Business Intelligence Platform (Monitoring Application), before versions 4.1, 4.2 and 4.3, may lead to an authenticated user to send unintended request to the web server, leading to Cross Site Request Forgery. | |||||
| CVE-2019-0405 | 1 Sap | 1 Enable Now | 2019-12-17 | 5.0 MEDIUM | 7.5 HIGH |
| SAP Enable Now, before version 1911, leaks information about the existence of a particular user which can be used to construct a list of users, leading to a user enumeration vulnerability and Information Disclosure. | |||||
| CVE-2019-0396 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2019-11-15 | 5.5 MEDIUM | 7.1 HIGH |
| SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), corrected in versions 4.1 and 4.2, does not sufficiently validate an XML document accepted from an untrusted source. An attacker can craft a message that contains malicious elements that will not be correctly filtered by Web Intelligence HTML interface in some specific workflows. | |||||
| CVE-2018-2424 | 1 Sap | 4 Hana Database, Ui, Ui5 and 1 more | 2019-10-09 | 5.0 MEDIUM | 7.5 HIGH |
| SAP UI5 did not validate user input before adding it to the DOM structure. This may lead to malicious user-provided JavaScript code being added to the DOM that could steal user information. Software components affected are: SAP Hana Database 1.00, 2.00; SAP UI5 1.00; SAP UI5 (Java) 7.30, 7.31, 7.40, 7,50; SAP UI 7.40, 7.50, 7.51, 7.52, and version 2.0 of SAP UI for SAP NetWeaver 7.00 | |||||
| CVE-2018-2412 | 1 Sap | 1 Disclosure Management | 2019-10-09 | 6.5 MEDIUM | 8.8 HIGH |
| SAP Disclosure Management 10.1 does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. | |||||
| CVE-2018-2423 | 1 Sap | 1 Internet Graphics Server | 2019-10-09 | 5.0 MEDIUM | 7.5 HIGH |
| SAP Internet Graphics Server (IGS), 7.20, 7.20EXT, 7.45, 7.49, 7.53, HTTP and RFC listener allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service. | |||||
| CVE-2018-2421 | 1 Sap | 1 Internet Graphics Server | 2019-10-09 | 5.0 MEDIUM | 7.5 HIGH |
| SAP Internet Graphics Server (IGS) Portwatcher, 7.20, 7.20EXT, 7.45, 7.49, 7.53, allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service. | |||||
| CVE-2018-2422 | 1 Sap | 1 Internet Graphics Server | 2019-10-09 | 5.0 MEDIUM | 7.5 HIGH |
| SAP Internet Graphics Server (IGS) Portwatcher, 7.20, 7.20EXT, 7.45, 7.49, 7.53, allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service. | |||||
| CVE-2018-2413 | 1 Sap | 1 Disclosure Management | 2019-10-09 | 6.5 MEDIUM | 8.8 HIGH |
| SAP Disclosure Management 10.1 does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. | |||||
| CVE-2018-2402 | 1 Sap | 1 Hana | 2019-10-09 | 3.5 LOW | 8.4 HIGH |
| In systems using the optional capture & replay functionality of SAP HANA, 1.00 and 2.00, (see SAP Note 2362820 for more information about capture & replay), user credentials may be stored in clear text in the indexserver trace files of the control system. An attacker with the required authorizations on the control system may be able to access the user credentials and gain unauthorized access to data in the captured or target system. | |||||
| CVE-2018-2408 | 1 Sap | 1 Businessobjects | 2019-10-09 | 7.5 HIGH | 7.3 HIGH |
| Improper Session Management in SAP Business Objects, 4.0, from 4.10, from 4.20, 4.30, CMC/BI Launchpad/Fiorified BI Launchpad. In case of password change for a user, all other active sessions created using older password continues to be active. | |||||
| CVE-2018-2409 | 1 Sap | 1 Cloud Platform | 2019-10-09 | 6.5 MEDIUM | 8.8 HIGH |
| Improper session management when using SAP Cloud Platform 2.0 (Connectivity Service and Cloud Connector). Under certain conditions, data of some other user may be shown or modified when using an application built on top of SAP Cloud Platform. | |||||
| CVE-2018-2481 | 1 Sap | 1 Advanced Business Application Programming | 2019-10-03 | 6.5 MEDIUM | 7.2 HIGH |
| In some SAP standard roles, in SAP_ABA versions, 7.00 to 7.02, 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50, 75C to 75D, a transaction code reserved for customer is used. By implementing such transaction code a malicious user may execute unauthorized transaction functionality. | |||||
| CVE-2018-2494 | 1 Sap | 1 Business Application Software Integrated Solution | 2019-10-03 | 6.5 MEDIUM | 8.0 HIGH |
| Necessary authorization checks for an authenticated user, resulting in escalation of privileges, have been fixed in SAP Basis AS ABAP of SAP NetWeaver 700 to 750, from 750 onwards delivered as ABAP Platform. | |||||
| CVE-2018-2490 | 1 Sap | 1 Fiori Client | 2019-10-03 | 6.8 MEDIUM | 7.8 HIGH |
| The broadcast messages received by SAP Fiori Client are not protected by permissions. SAP Fiori Client version 1.11.5 in Google Play store addresses these issues and users must update to that version. | |||||
| CVE-2018-2461 | 1 Sap | 1 People Profile | 2019-10-03 | 6.5 MEDIUM | 8.8 HIGH |
| Missing authorization check in SAP HCM Fiori "People Profile" (GBX01 HR version 6.0) for an authenticated user which may result in an escalation of privileges. | |||||
| CVE-2018-2459 | 1 Sap | 1 Mobile Platform | 2019-10-03 | 5.0 MEDIUM | 7.5 HIGH |
| Users of an SAP Mobile Platform (version 3.0) Offline OData application, which uses Offline OData-supplied delta tokens (which is on by default), occasionally receive some data values of a different user. | |||||
| CVE-2018-2436 | 1 Sap | 1 R\/3 Enterprise Retail | 2019-10-03 | 6.5 MEDIUM | 8.8 HIGH |
| Executing transaction WRCK in SAP R/3 Enterprise Retail (EHP6) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. | |||||
| CVE-2018-2381 | 1 Sap | 1 Erp Financials Information System | 2019-10-03 | 6.5 MEDIUM | 8.8 HIGH |
| SAP ERP Financials Information System (SAP_APPL 6.00, 6.02, 6.03, 6.04, 6.05, 6.06, 6.16; SAP_FIN 6.17, 6.18, 7.00, 7.20, 7.30 S4CORE 1.00, 1.01, 1.02) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. | |||||
| CVE-2018-2361 | 1 Sap | 1 Solution Manager | 2019-10-03 | 6.5 MEDIUM | 8.8 HIGH |
| In SAP Solution Manager 7.20, the role SAP_BPO_CONFIG gives the Business Process Operations (BPO) configuration user more authorization than required for configuring the BPO tools. | |||||
| CVE-2018-2489 | 1 Sap | 1 Fiori Client | 2019-10-03 | 6.8 MEDIUM | 7.8 HIGH |
| Locally, without any permission, an arbitrary android application could delete the SSO configuration of SAP Fiori Client. SAP Fiori Client version 1.11.5 in Google Play store addresses these issues and users must update to that version. | |||||
| CVE-2018-2485 | 1 Sap | 1 Fiori Client | 2019-10-03 | 6.4 MEDIUM | 7.7 HIGH |
| It is possible for a malicious application or malware to execute JavaScript in a SAP Fiori application. This can include reading and writing of information and calling device specific JavaScript APIs in the application. SAP Fiori Client version 1.11.5 in Google Play store addresses these issues and users must update to that version. | |||||
| CVE-2018-2455 | 1 Sap | 1 Enterprise Financial Services | 2019-10-03 | 6.5 MEDIUM | 8.8 HIGH |
| SAP Enterprise Financial Services, versions 6.05, 6.06, 6.16, 6.17, 6.18, 8.0 (in business function EAFS_BCA_BUSOPR_SEPA) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. | |||||
| CVE-2018-2454 | 1 Sap | 1 Enterprise Financial Services | 2019-10-03 | 6.5 MEDIUM | 8.8 HIGH |
| SAP Enterprise Financial Services, versions 6.05, 6.06, 6.16, 6.17, 6.18, 8.0 (in business function EAFS_BCA_BUSOPR_2) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. | |||||
| CVE-2018-2438 | 1 Sap | 1 Internet Graphics Server | 2019-10-03 | 5.0 MEDIUM | 7.5 HIGH |
| The SAP Internet Graphics Server (IGS), 7.20, 7.20EXT, 7.45, 7.49, 7.53, has several denial-of-service vulnerabilities that allow an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service. | |||||
| CVE-2017-8915 | 1 Sap | 1 Hana Xs | 2019-10-03 | 5.0 MEDIUM | 7.5 HIGH |
| sinopia, as used in SAP HANA XS 1.00 and 2.00, allows remote attackers to cause a denial of service (assertion failure and service crash) by pushing a package with a filename containing a $ (dollar sign) or % (percent) character, aka SAP Security Note 2407694. | |||||
| CVE-2017-8914 | 1 Sap | 1 Hana Xs | 2019-10-03 | 7.5 HIGH | 8.3 HIGH |
| sinopia, as used in SAP HANA XS 1.00 and 2.00, allows remote attackers to hijack npm packages or host arbitrary files by leveraging an insecure user creation policy, aka SAP Security Note 2407694. | |||||
| CVE-2017-7696 | 1 Sap | 1 Sso Authentication Library | 2019-10-03 | 5.0 MEDIUM | 7.5 HIGH |
| SAP AS JAVA SSO Authentication Library 2.0 through 3.0 allow remote attackers to cause a denial of service (memory consumption) via large values in the width and height parameters to otp_logon_ui_resources/qr, aka SAP Security Note 2389042. | |||||
| CVE-2017-5997 | 1 Sap | 1 Sap Kernel | 2019-10-03 | 5.0 MEDIUM | 7.5 HIGH |
| The SAP Message Server HTTP daemon in SAP KERNEL 7.21-7.49 allows remote attackers to cause a denial of service (memory consumption and process crash) via multiple msgserver/group?group= requests with a crafted size of the group parameter, aka SAP Security Note 2358972. | |||||
| CVE-2019-0355 | 1 Sap | 1 Netweaver Application Server Java | 2019-09-11 | 6.5 MEDIUM | 7.2 HIGH |
| SAP NetWeaver Application Server Java Web Container, ENGINEAPI (before versions 7.10, 7.20, 7.30, 7.31, 7.40, 7.50) and SAP-JEECOR (before versions 6.40, 7.0, 7.01), allows an attacker to inject code that can be executed by the application. An attacker could thereby control the behaviour of the application. | |||||
| CVE-2019-0352 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2019-09-11 | 5.0 MEDIUM | 7.5 HIGH |
| In SAP Business Objects Business Intelligence Platform, before versions 4.1, 4.2 and 4.3, some dynamic pages (like jsp) are cached, which leads to an attacker can see the sensitive information via cache and can open the dynamic pages even after logout. | |||||
| CVE-2014-8871 | 1 Sap | 1 Hybris | 2019-08-27 | 5.0 MEDIUM | 7.5 HIGH |
| Directory traversal vulnerability in hybris Commerce software suite 5.0.3.3 and earlier, 5.0.0.3 and earlier, 5.0.4.4 and earlier, 5.1.0.1 and earlier, 5.1.1.2 and earlier, 5.2.0.3 and earlier, and 5.3.0.1 and earlier. | |||||
| CVE-2019-0343 | 1 Sap | 1 Commerce Cloud | 2019-08-23 | 6.5 MEDIUM | 8.8 HIGH |
| SAP Commerce Cloud (Mediaconversion Extension), versions 6.4, 6.5, 6.6, 6.7, 1808, 1811, 1905, allows an authenticated Backoffice/HMC user to inject code that can be executed by the application, leading to Code Injection. An attacker could thereby control the behavior of the application. | |||||
| CVE-2019-0328 | 1 Sap | 1 Netweaver Process Integration | 2019-07-18 | 9.0 HIGH | 7.2 HIGH |
| ABAP Tests Modules (SAP Basis, versions 7.0, 7.1, 7.3, 7.31, 7.4, 7.5) of SAP NetWeaver Process Integration enables an attacker the execution of OS commands with privileged rights. An attacker could thereby impact the integrity and availability of the system. | |||||
| CVE-2019-0327 | 1 Sap | 1 Netweaver Application Server Java | 2019-07-18 | 6.5 MEDIUM | 7.2 HIGH |
| SAP NetWeaver for Java Application Server - Web Container, (engineapi, versions 7.1, 7.2, 7.3, 7.31, 7.4 and 7.5), (servercode, versions 7.2, 7.3, 7.31, 7.4, 7.5), allows an attacker to upload files (including script files) without proper file format validation. | |||||
| CVE-2019-0268 | 1 Sap | 1 Businessobjects Business Intelligence | 2019-03-13 | 5.5 MEDIUM | 8.1 HIGH |
| SAP BusinessObjects Business Intelligence Platform (CMC Module), versions 4.10, 4.20 and 4.30, does not sufficiently validate an XML document accepted from an untrusted source. | |||||