Filtered by vendor Sap
Subscribe
Search
Total
482 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-0271 | 1 Sap | 3 Advanced Business Application Programming Platform, Advanced Business Application Programming Server, Sap Kernel | 2021-07-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| ABAP Server (used in NetWeaver and Suite/ERP) and ABAP Platform does not sufficiently validate an XML document accepted from an untrusted source, leading to an XML External Entity (XEE) vulnerability. Fixed in Kernel 7.21 or 7.22, that is ABAP Server 7.00 to 7.31 and Kernel 7.45, 7.49 or 7.53, that is ABAP Server 7.40 to 7.52 or ABAP Platform. For more recent updates please refer to Security Note 2870067 (which supersedes the solution of Security Note 2736825) in the reference section below. | |||||
| CVE-2020-6371 | 1 Sap | 1 Netweaver As Abap | 2021-07-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| User enumeration vulnerability can be exploited to get a list of user accounts and personal user information can be exposed in SAP NetWeaver Application Server ABAP (POWL test application) versions - 710, 711, 730, 731, 740, 750, leading to Information Disclosure. | |||||
| CVE-2021-27612 | 1 Sap | 1 Gui For Windows | 2021-06-29 | 5.8 MEDIUM | 6.1 MEDIUM |
| In specific situations SAP GUI for Windows until and including 7.60 PL9, 7.70 PL0, forwards a user to specific malicious website which could contain malware or might lead to phishing attacks to steal credentials of the victim. | |||||
| CVE-2021-33666 | 1 Sap | 1 Commerce Cloud | 2021-06-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| When SAP Commerce Cloud version 100, hosts a JavaScript storefront, it is vulnerable to MIME sniffing, which, in certain circumstances, could be used to facilitate an XSS attack or malware proliferation. | |||||
| CVE-2020-26809 | 1 Sap | 1 Commerce Cloud | 2021-06-17 | 5.0 MEDIUM | 5.3 MEDIUM |
| SAP Commerce Cloud, versions- 1808,1811,1905,2005, allows an attacker to bypass existing authentication and permission checks via the '/medias' endpoint hence gaining access to Secure Media folders. This folder could contain sensitive files that results in disclosure of sensitive information and impact system configuration confidentiality. | |||||
| CVE-2020-6369 | 1 Sap | 2 Focused Run, Solution Manager | 2021-06-17 | 4.3 MEDIUM | 5.9 MEDIUM |
| SAP Solution Manager and SAP Focused Run (update provided in WILY_INTRO_ENTERPRISE 9.7, 10.1, 10.5, 10.7), allows an unauthenticated attackers to bypass the authentication if the default passwords for Admin and Guest have not been changed by the administrator.This may impact the confidentiality of the service. | |||||
| CVE-2020-26811 | 1 Sap | 1 Commerce Cloud \(accelerator Payment Mock\) | 2021-06-17 | 5.0 MEDIUM | 5.3 MEDIUM |
| SAP Commerce Cloud (Accelerator Payment Mock), versions - 1808, 1811, 1905, 2005, allows an unauthenticated attacker to submit a crafted request over a network to a particular SAP Commerce module URL which will be processed without further interaction, the crafted request leads to Server Side Request Forgery attack which could lead to retrieval of limited pieces of information about the service with no impact on integrity or availability. | |||||
| CVE-2020-26836 | 1 Sap | 1 Solution Manager | 2021-06-17 | 5.8 MEDIUM | 6.1 MEDIUM |
| SAP Solution Manager (Trace Analysis), version - 720, allows for misuse of a parameter in the application URL leading to Open Redirect vulnerability, an attacker can enter a link to malicious site which could trick the user to enter credentials or download malicious software, as a parameter in the application URL and share it with the end user who could potentially become a victim of the attack. | |||||
| CVE-2021-33665 | 1 Sap | 1 Netweaver Application Server Abap | 2021-06-16 | 3.5 LOW | 5.4 MEDIUM |
| SAP NetWeaver Application Server ABAP (Applications based on SAP GUI for HTML), versions - KRNL64NUC - 7.49, KRNL64UC - 7.49,7.53, KERNEL - 7.49,7.53,7.77,7.81,7.84, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2021-33664 | 1 Sap | 1 Netweaver Application Server Abap | 2021-06-16 | 3.5 LOW | 5.4 MEDIUM |
| SAP NetWeaver Application Server ABAP (Applications based on Web Dynpro ABAP), versions - SAP_UI - 750,752,753,754,755, SAP_BASIS - 702, 731 does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2021-27615 | 1 Sap | 1 Manufacturing Execution | 2021-06-16 | 3.5 LOW | 5.4 MEDIUM |
| SAP Manufacturing Execution versions - 15.1, 1.5.2, 15.3, 15.4, does not contain some HTTP security headers in their HTTP response. The lack of these headers in response can be exploited by the attacker to execute Cross-Site Scripting (XSS) attacks. | |||||
| CVE-2021-21490 | 1 Sap | 1 Netweaver As Abap | 2021-06-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP NetWeaver AS for ABAP (Web Survey), versions - 700, 702, 710, 711, 730, 731, 750, 750, 752, 75A, 75F, does not sufficiently encode input and output parameters which results in reflected cross site scripting vulnerability, through which a malicious user can access data relating to the current session and use it to impersonate a user and access all information with the same rights as the target user. | |||||
| CVE-2021-33662 | 1 Sap | 1 Business One | 2021-06-15 | 2.1 LOW | 4.4 MEDIUM |
| Under certain conditions, the installation of SAP Business One, version - 10.0, discloses sensitive information on the file system allowing an attacker to access information which would otherwise be restricted. | |||||
| CVE-2021-27623 | 1 Sap | 1 Netweaver As Internet Graphics Server | 2021-06-14 | 4.3 MEDIUM | 5.9 MEDIUM |
| SAP Internet Graphics Service, versions - 7.20,7.20EXT,7.53,7.20_EX2,7.81, allows an unauthenticated attacker after retrieving an existing system state value can submit a malicious IGS request over a network which due to insufficient input validation in method CXmlUtility::CheckLength() which will trigger an internal memory corruption error in the system causing the system to crash and rendering it unavailable. In this attack, no data in the system can be viewed or modified. | |||||
| CVE-2021-27643 | 1 Sap | 1 3d Visual Enterprise Viewer | 2021-06-11 | 4.3 MEDIUM | 5.5 MEDIUM |
| SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated IFF file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation. | |||||
| CVE-2021-27642 | 1 Sap | 1 3d Visual Enterprise Viewer | 2021-06-11 | 4.3 MEDIUM | 5.5 MEDIUM |
| SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated PCX file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation. | |||||
| CVE-2021-27641 | 1 Sap | 1 3d Visual Enterprise Viewer | 2021-06-11 | 4.3 MEDIUM | 5.5 MEDIUM |
| SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated TIF file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation. | |||||
| CVE-2021-27640 | 1 Sap | 1 3d Visual Enterprise Viewer | 2021-06-11 | 4.3 MEDIUM | 5.5 MEDIUM |
| SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated PSD file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation. | |||||
| CVE-2021-33660 | 1 Sap | 1 3d Visual Enterprise Viewer | 2021-06-11 | 4.3 MEDIUM | 5.5 MEDIUM |
| SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated FLI file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation. | |||||
| CVE-2021-33661 | 1 Sap | 1 3d Visual Enterprise Viewer | 2021-06-11 | 4.3 MEDIUM | 5.5 MEDIUM |
| SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated PCX file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation. | |||||
| CVE-2021-33659 | 1 Sap | 1 3d Visual Enterprise Viewer | 2021-06-11 | 4.3 MEDIUM | 5.5 MEDIUM |
| SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated GIF file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation. | |||||
| CVE-2021-27639 | 1 Sap | 1 3d Visual Enterprise Viewer | 2021-06-11 | 4.3 MEDIUM | 5.5 MEDIUM |
| SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated JT file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation. | |||||
| CVE-2021-27638 | 1 Sap | 1 3d Visual Enterprise Viewer | 2021-06-11 | 4.3 MEDIUM | 5.5 MEDIUM |
| SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated JT file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation. | |||||
| CVE-2021-27611 | 1 Sap | 1 Netweaver As Abap | 2021-05-19 | 4.6 MEDIUM | 6.7 MEDIUM |
| SAP NetWeaver AS ABAP, versions - 700, 701, 702, 730, 731, allow a high privileged attacker to inject malicious code by executing an ABAP report when the attacker has access to the local SAP system. The attacker could then get access to data, overwrite them, or execute a denial of service. | |||||
| CVE-2016-2388 | 1 Sap | 1 Netweaver Application Server Java | 2021-05-05 | 5.0 MEDIUM | 5.3 MEDIUM |
| The Universal Worklist Configuration in SAP NetWeaver AS JAVA 7.4 allows remote attackers to obtain sensitive user information via a crafted HTTP request, aka SAP Security Note 2256846. | |||||
| CVE-2018-2504 | 1 Sap | 1 Netweaver Application Server Java | 2021-04-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP NetWeaver AS Java Web Container service does not validate against whitelist the HTTP host header which can result in HTTP Host Header Manipulation or Cross-Site Scripting (XSS) vulnerability. This is fixed in versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50. | |||||
| CVE-2021-21492 | 1 Sap | 1 Netweaver Application Server Java | 2021-04-20 | 4.3 MEDIUM | 4.3 MEDIUM |
| SAP NetWeaver Application Server Java(HTTP Service), versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently validate logon group in URLs, resulting in a content spoofing vulnerability when directory listing is enabled. | |||||
| CVE-2016-3973 | 1 Sap | 1 Netweaver Application Server Java | 2021-04-20 | 5.0 MEDIUM | 5.3 MEDIUM |
| The chat feature in the Real-Time Collaboration (RTC) services 7.3 and 7.4 in SAP NetWeaver Java AS 7.1 through 7.5 allows remote attackers to obtain sensitive user information by visiting webdynpro/resources/sap.com/tc~rtc~coll.appl.rtc~wd_chat/Chat#, pressing "Add users", and doing a search, aka SAP Security Note 2255990. | |||||
| CVE-2021-21483 | 1 Sap | 1 Solution Manager | 2021-04-20 | 4.0 MEDIUM | 4.9 MEDIUM |
| Under certain conditions SAP Solution Manager, version - 720, allows a high privileged attacker to get access to sensitive information which has a direct serious impact beyond the exploitable component thereby affecting the confidentiality in the application. | |||||
| CVE-2021-27609 | 1 Sap | 1 Focused Run | 2021-04-20 | 4.0 MEDIUM | 6.5 MEDIUM |
| SAP Focused RUN versions 200, 300, does not perform necessary authorization checks for an authenticated user, which allows a user to call the oData service and manipulate the activation for the SAP EarlyWatch Alert service data collection and sending to SAP without the intended authorization. | |||||
| CVE-2017-11457 | 1 Sap | 1 Netweaver Application Server Java | 2021-04-20 | 4.0 MEDIUM | 6.5 MEDIUM |
| XML external entity (XXE) vulnerability in com.sap.km.cm.ice in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request, aka SAP Security Note 2387249. | |||||
| CVE-2017-11458 | 1 Sap | 1 Netweaver Application Server Java | 2021-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the ctcprotocol/Protocol servlet in SAP NetWeaver AS JAVA 7.3 allows remote attackers to inject arbitrary web script or HTML via the sessionID parameter, aka SAP Security Note 2406783. | |||||
| CVE-2018-2452 | 1 Sap | 1 Netweaver Application Server Java | 2021-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| The logon application of SAP NetWeaver AS Java 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 does not sufficiently encode user-controlled inputs, resulting in a cross-site scripting (XSS) vulnerability. | |||||
| CVE-2016-10304 | 1 Sap | 1 Netweaver Application Server Java | 2021-04-20 | 4.0 MEDIUM | 6.5 MEDIUM |
| The SAP EP-RUNTIME component in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to cause a denial of service (out-of-memory error and service instability) via a crafted serialized Java object, as demonstrated by serial.cc3, aka SAP Security Note 2315788. | |||||
| CVE-2016-3975 | 1 Sap | 1 Netweaver Application Server Java | 2021-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 allows remote attackers to inject arbitrary web script or HTML via the navigationTarget parameter to irj/servlet/prt/portal/prteventname/XXX/prtroot/com.sapportals.navigation.testComponent.NavigationURLTester, aka SAP Security Note 2238375. | |||||
| CVE-2021-27601 | 1 Sap | 1 Netweaver Application Server Java | 2021-04-20 | 3.5 LOW | 5.4 MEDIUM |
| SAP NetWeaver AS Java (Applications based on HTMLB for Java) allows a basic-level authorized attacker to store a malicious file on the server. When a victim tries to open this file, it results in a Cross-Site Scripting (XSS) vulnerability and the attacker can read and modify data. However, the attacker does not have control over kind or degree. | |||||
| CVE-2021-27598 | 1 Sap | 1 Netweaver Application Server Java | 2021-04-20 | 5.0 MEDIUM | 5.3 MEDIUM |
| SAP NetWeaver AS JAVA (Customer Usage Provisioning Servlet), versions - 7.31, 7.40, 7.50, allows an attacker to read some statistical data like product version, traffic, timestamp etc. because of missing authorization check in the servlet. | |||||
| CVE-2021-27603 | 1 Sap | 1 Netweaver As Abap | 2021-04-19 | 4.0 MEDIUM | 6.5 MEDIUM |
| An RFC enabled function module SPI_WAIT_MILLIS in SAP NetWeaver AS ABAP, versions - 731, 740, 750, allows to keep a work process busy for any length of time. An attacker could call this function module multiple times to block all work processes thereby causing Denial of Service and affecting the Availability of the SAP system. | |||||
| CVE-2021-27605 | 1 Sap | 1 Fiori Apps 2.0 For Travel Management In Sap Erp | 2021-04-19 | 4.0 MEDIUM | 4.3 MEDIUM |
| SAP's HCM Travel Management Fiori Apps V2, version - 608, does not perform proper authorization check, allowing an authenticated but unauthorized attacker to read personnel numbers of employees, resulting in escalation of privileges. However, the attacker can only read some information like last name, first name of the employees, so there is some loss of confidential information, Integrity and Availability are not impacted. | |||||
| CVE-2021-27600 | 1 Sap | 1 Manufacturing Execution | 2021-04-16 | 3.5 LOW | 5.4 MEDIUM |
| SAP Manufacturing Execution (System Rules), versions - 15.1, 15.2, 15.3, 15.4, allows an authorized attacker to embed malicious code into HTTP parameter and send it to the server because SAP Manufacturing Execution (System Rules) tab does not sufficiently encode some parameters, resulting in Stored Cross-Site Scripting (XSS) vulnerability. The malicious code can be used for different purposes. e.g., information can be read, modified, and sent to the attacker. However, availability of the server cannot be impacted. | |||||
| CVE-2020-6365 | 1 Sap | 1 Netweaver Application Server Java | 2021-04-12 | 5.8 MEDIUM | 6.1 MEDIUM |
| SAP NetWeaver AS Java, versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, Start Page allows an unauthenticated remote attacker to redirect users to a malicious site due to insufficient reverse tabnabbing URL validation. The attacker could execute phishing attacks to steal credentials of the victim or to redirect users to untrusted web pages containing malware or similar malicious exploits. | |||||
| CVE-2021-21476 | 1 Sap | 1 Ui5 | 2021-04-01 | 5.8 MEDIUM | 6.1 MEDIUM |
| SAP UI5 versions before 1.38.49, 1.52.49, 1.60.34, 1.71.31, 1.78.18, 1.84.5, 1.85.4, 1.86.1 allows an unauthenticated attacker to redirect users to a malicious site due to Reverse Tabnabbing vulnerabilities. | |||||
| CVE-2021-21491 | 1 Sap | 1 Netweaver Application Server Java | 2021-03-17 | 5.8 MEDIUM | 6.1 MEDIUM |
| SAP Netweaver Application Server Java (Applications based on WebDynpro Java) versions 7.00, 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allow an attacker to redirect users to a malicious site due to Reverse Tabnabbing vulnerabilities. | |||||
| CVE-2021-21488 | 1 Sap | 1 Netweaver Knowledge Management | 2021-03-17 | 4.0 MEDIUM | 6.5 MEDIUM |
| Knowledge Management versions 7.01, 7.02, 7.30, 7.31, 7.40, 7.50 allows a remote attacker with basic privileges to deserialize user-controlled data without verification, leading to insecure deserialization which triggers the attacker’s code, therefore impacting Availability. | |||||
| CVE-2021-21447 | 1 Sap | 1 Businessobjects Business Intelligence | 2021-03-04 | 3.5 LOW | 5.4 MEDIUM |
| SAP BusinessObjects Business Intelligence platform, versions 410, 420, allows an authenticated attacker to inject malicious JavaScript payload into the custom value input field of an Input Control, which can be executed by User who views the relevant application content, which leads to Stored Cross-Site Scripting. | |||||
| CVE-2021-21445 | 1 Sap | 1 Commerce Cloud | 2021-03-04 | 3.5 LOW | 5.4 MEDIUM |
| SAP Commerce Cloud, versions - 1808, 1811, 1905, 2005, 2011, allows an authenticated attacker to include invalidated data in the HTTP response Content Type header, due to improper input validation, and sent to a Web user. A successful exploitation of this vulnerability may lead to advanced attacks, including cross-site scripting and page hijacking. | |||||
| CVE-2021-21478 | 1 Sap | 1 Web Dynpro Abap | 2021-02-16 | 5.8 MEDIUM | 6.1 MEDIUM |
| SAP Web Dynpro ABAP allow an attacker to redirect users to a malicious site due to Reverse Tabnabbing vulnerabilities. | |||||
| CVE-2021-21444 | 1 Sap | 1 Businessobjects Business Intelligence | 2021-02-16 | 5.8 MEDIUM | 6.1 MEDIUM |
| SAP Business Objects BI Platform, versions - 410, 420, 430, allows multiple X-Frame-Options headers entries in the response headers, which may not be predictably treated by all user agents. This could, as a result, nullify the added X-Frame-Options header leading to Clickjacking attack. | |||||
| CVE-2021-21467 | 1 Sap | 1 Banking Services | 2021-02-11 | 4.0 MEDIUM | 4.3 MEDIUM |
| SAP Banking Services (Generic Market Data) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. An unauthorized User is allowed to display restricted Business Partner Generic Market Data (GMD), due to improper authorization check. | |||||
| CVE-2021-21471 | 1 Sap | 1 Cla-assistant | 2021-01-15 | 4.0 MEDIUM | 6.5 MEDIUM |
| In CLA-Assistant, versions before 2.8.5, due to improper access control an authenticated user could access API endpoints which are not intended to be used by the user. This could impact the integrity of the application. | |||||