Filtered by vendor Sap
Subscribe
Search
Total
482 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-2440 | 1 Sap | 1 Dynamic Authorization Management | 2018-09-06 | 2.1 LOW | 4.4 MEDIUM |
| Under certain circumstances SAP Dynamic Authorization Management (DAM) by NextLabs (Java Policy Controller versions 7.7 and 8.5) exposes sensitive information in the application logs. | |||||
| CVE-2018-2435 | 1 Sap | 1 Netweaver Enterprise Portal | 2018-09-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP NetWeaver Enterprise Portal from 7.0 to 7.02, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2018-11415 | 1 Sap | 1 Internet Transaction Server | 2018-06-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP Internet Transaction Server (ITS) 6200.X.X has Reflected Cross Site Scripting (XSS) via certain wgate URIs. NOTE: the vendor has reportedly indicated that there will not be any further releases of this product. | |||||
| CVE-2018-2365 | 1 Sap | 1 Netweaver Portal | 2018-03-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP NetWeaver Portal, WebDynpro Java, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2018-2380 | 1 Sap | 1 Customer Relationship Management | 2018-03-23 | 6.5 MEDIUM | 6.6 MEDIUM |
| SAP CRM, 7.01, 7.02,7.30, 7.31, 7.33, 7.54, allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing "traverse to parent directory" are passed through to the file APIs. | |||||
| CVE-2018-2370 | 1 Sap | 1 Bi Launchpad | 2018-03-15 | 5.0 MEDIUM | 5.3 MEDIUM |
| Server Side Request Forgery (SSRF) vulnerability in SAP Central Management Console, BI Launchpad and Fiori BI Launchpad, 4.10, from 4.20, from 4.30, could allow a malicious user to use common techniques to determine which ports are in use on the backend server. | |||||
| CVE-2018-2371 | 1 Sap | 1 Netweaver Java Web Application | 2018-03-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The SAML 2.0 service provider of SAP Netweaver AS Java Web Application, 7.50, does not sufficiently encode user controlled inputs, which results in Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2018-2364 | 1 Sap | 2 Customer Relationship Management Webclient Ui, S4fnd | 2018-03-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP CRM WebClient UI 7.01, 7.31, 7.46, 7.47, 7.48, 8.00, 8.01, S4FND 1.02, does not sufficiently validate and/or encode hidden fields, resulting in Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2018-2386 | 1 Sap | 1 Internet Graphics Server | 2018-02-27 | 4.0 MEDIUM | 6.5 MEDIUM |
| Under certain conditions a malicious user provoking an out of bounds buffer overflow can prevent legitimate users from accessing the SAP Internet Graphics Server (IGS), 7.20, 7.20EXT, 7.45, 7.49, 7.53. | |||||
| CVE-2018-2385 | 1 Sap | 1 Internet Graphics Server | 2018-02-27 | 4.0 MEDIUM | 6.5 MEDIUM |
| Under certain conditions a malicious user provoking a divide by zero crash can prevent legitimate users from accessing the SAP Internet Graphics Server, 7.20, 7.20EXT, 7.45, 7.49, 7.53, and its services. | |||||
| CVE-2018-2384 | 1 Sap | 1 Internet Graphics Server | 2018-02-27 | 4.0 MEDIUM | 6.5 MEDIUM |
| Under certain conditions a malicious user provoking a Null Pointer dereference can prevent legitimate users from accessing the SAP Internet Graphics Server, 7.20, 7.20EXT, 7.45, 7.49, 7.53, and its services. | |||||
| CVE-2018-2383 | 1 Sap | 1 Internet Graphics Server | 2018-02-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected cross-site scripting vulnerability in SAP internet Graphics Server, 7.20, 7.20EXT, 7.45, 7.49, 7.53. | |||||
| CVE-2018-2388 | 1 Sap | 1 Internet Graphics Server | 2018-02-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| Stored cross-site scripting vulnerability in SAP internet Graphics Server, 7.20, 7.20EXT, 7.45, 7.49, 7.53. | |||||
| CVE-2017-16679 | 1 Sap | 1 Sap Kernel | 2018-01-04 | 5.8 MEDIUM | 6.1 MEDIUM |
| URL redirection vulnerability in SAP's Startup Service, SAP KERNEL 32 NUC, SAP KERNEL 32 Unicode, SAP KERNEL 64 NUC, SAP KERNEL 64 Unicode 7.21, 7.21EXT, 7.22 and 7.22EXT; SAP KERNEL 7.21, 7.22, 7.45, 7.49 and 7.52, that allows an attacker to redirect users to a malicious site. | |||||
| CVE-2017-16691 | 1 Sap | 1 Business Application Software Integrated Solution | 2018-01-04 | 5.8 MEDIUM | 6.5 MEDIUM |
| SAP Note Assistant tool (SAP BASIS from 7.00 to 7.02, from 7.10 to 7.11, 7.30, 7.31,7.40, from 7.50 to 7.52) supports upload of digitally signed note file of type 'SAR'. The digital signature verification is done together with the extraction of note file contained in the SAR archive. It is possible to append a tampered file to the SAR archive using SAPCAR tool and during the extraction, digital signature verification fails but the tampered file is extracted. | |||||
| CVE-2017-16678 | 1 Sap | 4 Epbc, Epbc2, Kmc-bc and 1 more | 2018-01-02 | 6.5 MEDIUM | 4.7 MEDIUM |
| Server Side Request Forgery (SSRF) vulnerability in SAP NetWeaver Knowledge Management Configuration Service, EPBC and EPBC2 from 7.00 to 7.02; KMC-BC 7.30, 7.31, 7.40 and 7.50, that allows an attacker to manipulate the vulnerable application to send crafted requests on behalf of the application. | |||||
| CVE-2017-16687 | 1 Sap | 1 Hana Database | 2018-01-02 | 5.0 MEDIUM | 5.3 MEDIUM |
| The user self-service tools of SAP HANA extended application services, classic user self-service, a part of SAP HANA Database versions 1.00 and 2.00, can be misused to enumerate valid and invalid user accounts. An unauthenticated user could use the error messages to determine if a given username is valid. | |||||
| CVE-2017-16683 | 1 Sap | 1 Businessobjects | 2017-12-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Denial of Service (DOS) in SAP Business Objects Platform, Enterprise 4.10 and 4.20, that could allow an attacker to prevent legitimate users from accessing a service. | |||||
| CVE-2017-16681 | 1 Sap | 1 Business Intelligence Promotion Management Application | 2017-12-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-Site Scripting (XSS) vulnerability in SAP Business Intelligence Promotion Management Application, Enterprise 4.10, 4.20, 4.30, as user controlled inputs are not sufficiently encoded. | |||||
| CVE-2017-16685 | 1 Sap | 1 Business Warehouse Universal Data Integration | 2017-12-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-Site scripting (XSS) in SAP Business Warehouse Universal Data Integration, from 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, due to insufficient encoding of user controlled inputs. | |||||
| CVE-2017-14516 | 1 Sap | 1 Businessobjects Financial Consolidation | 2017-12-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-Site Scripting (XSS) exists in SAP Business Objects Financial Consolidation before 2017-06-13, aka SAP Security Note 2422292. | |||||
| CVE-2017-10701 | 1 Sap | 1 Enterprise Portal | 2017-10-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross site scripting (XSS) vulnerability in SAP Enterprise Portal 7.50 allows remote attackers to inject arbitrary web script or HTML, aka SAP Security Notes 2469860, 2471209, and 2488516. | |||||
| CVE-2016-6856 | 1 Sap | 1 Hybris | 2017-08-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the Inbox Search feature in Hybris Management Console (HMC) in SAP Hybris before 6.0 allows remote attackers to inject arbitrary web script or HTML via the itemsperpage parameter. | |||||
| CVE-2017-6061 | 1 Sap | 1 Businessobjects Financial Consolidation | 2017-03-16 | 4.3 MEDIUM | 4.7 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the help component of SAP BusinessObjects Financial Consolidation 10.0.0.1933 allows remote attackers to inject arbitrary web script or HTML via a GET request. /finance/help/en/frameset.htm is the URI for this component. The vendor response is SAP Security Note 2368106. | |||||
| CVE-2016-6859 | 1 Sap | 1 Hybris | 2017-01-04 | 4.0 MEDIUM | 4.3 MEDIUM |
| Hybris Management Console (HMC) in SAP Hybris before 6.0 allows remote attackers to obtain sensitive information by triggering an error and then reading a Java stack trace. | |||||
| CVE-2016-6149 | 1 Sap | 1 Hana Sps09 | 2016-11-28 | 2.1 LOW | 5.5 MEDIUM |
| SAP HANA SPS09 1.00.091.00.14186593 allows local users to obtain sensitive information by leveraging the EXPORT statement to export files, aka SAP Security Note 2252941. | |||||
| CVE-2016-6145 | 1 Sap | 1 Hana Db | 2016-11-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| The SQL interface in SAP HANA DB 1.00.091.00.1418659308 provides different error messages for failed login attempts depending on whether the username exists and is locked when the detailed_error_on_connect option is not supported or is configured as "False," which allows remote attackers to enumerate database users via a series of login attempts, aka SAP Security Note 2216869. | |||||
| CVE-2016-4407 | 1 Sap | 1 Sapcryptolib | 2016-11-28 | 4.0 MEDIUM | 6.5 MEDIUM |
| The DSA algorithm implementation in SAP SAPCRYPTOLIB 5.555.38 does not properly check signatures, which allows remote authenticated users to impersonate arbitrary users via unspecified vectors, aka SAP Security Note 2223008. | |||||
| CVE-2016-3638 | 1 Sap | 1 Sld Registration | 2016-10-14 | 2.1 LOW | 5.5 MEDIUM |
| SAP SLD Registration Program (aka SLDREG) allows local users to cause a denial of service (memory corruption and process termination) via a crafted HOST parameter, aka SAP Security Note 2125623. | |||||
| CVE-2016-6146 | 1 Sap | 1 Trex | 2016-09-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| The NameServer in SAP TREX 7.10 Revision 63 allows remote attackers to obtain sensitive TNS information via an unspecified query, aka SAP Security Note 2234226. | |||||
| CVE-2016-3639 | 1 Sap | 1 Hana Db | 2016-09-28 | 5.0 MEDIUM | 4.3 MEDIUM |
| SAP HANA DB 1.00.091.00.1418659308 allows remote attackers to obtain sensitive topology information via an unspecified HTTP request, aka SAP Security Note 2176128. | |||||
| CVE-2016-3640 | 1 Sap | 1 Hana Db | 2016-08-11 | 2.1 LOW | 5.5 MEDIUM |
| The Extended Application Services (aka XS or XS Engine) in SAP HANA DB 1.00.091.00.1418659308 allows local users to obtain sensitive password information via vectors related to passwords in Web Dispatcher trace files, aka SAP Security Note 2148905. | |||||