Filtered by vendor Sap
Subscribe
Search
Total
1171 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-2482 | 1 Sap | 1 Mobile Secure | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| SAP Mobile Secure Android Application, Mobile-secure.apk Android client, before version 6.60.19942.0, allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service. Install the Mobile Secure Android client released in Mid-Oct 2018. | |||||
| CVE-2018-2483 | 1 Sap | 1 Businessobjects Business Intelligence | 2020-08-24 | 4.0 MEDIUM | 4.3 MEDIUM |
| HTTP Verb Tampering is possible in SAP BusinessObjects Business Intelligence Platform, versions 4.1 and 4.2, Central Management Console (CMC) by changing request method. | |||||
| CVE-2018-2441 | 1 Sap | 1 Sap Kernel | 2020-08-24 | 5.5 MEDIUM | 5.5 MEDIUM |
| Under certain conditions the SAP Change and Transport System (ABAP), SAP KERNEL 32 NUC, SAP KERNEL 32 Unicode, SAP KERNEL 64 NUC, SAP KERNEL 64 Unicode 7.21, 7.21EXT, 7.22 and 7.22EXT; SAP KERNEL 7.21, 7.22, 7.45, 7.49, 7.53 and 7.73, allows an attacker to transport information which would otherwise be restricted. | |||||
| CVE-2018-2437 | 1 Sap | 1 Internet Graphics Server | 2020-08-24 | 6.4 MEDIUM | 9.1 CRITICAL |
| The SAP Internet Graphics Service (IGS), 7.20, 7.20EXT, 7.45, 7.49, 7.53, allows an attacker to externally trigger IGS command executions which can lead to: disclosure of information and malicious file insertion or modification. | |||||
| CVE-2018-2433 | 1 Sap | 1 Sap Kernel | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| SAP Gateway (SAP KERNEL 32 NUC, SAP KERNEL 32 Unicode, SAP KERNEL 64 NUC, SAP KERNEL 64 Unicode 7.21, 7.21EXT, 7.22 and 7.22EXT; SAP KERNEL 7.21, 7.22, 7.45, 7.49 and 7.53) allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service. | |||||
| CVE-2018-2432 | 1 Sap | 1 Businessobjects Business Intelligence | 2020-08-24 | 4.9 MEDIUM | 5.4 MEDIUM |
| SAP BusinessObjects Business Intelligence (BI Launchpad and Central Management Console) versions 4.10, 4.20 and 4.30 allow an attacker to include invalidated data in the HTTP response header sent to a Web user. Successful exploitation of this vulnerability may lead to advanced attacks, including: cross-site scripting and page hijacking. | |||||
| CVE-2018-2497 | 1 Sap | 1 Hana | 2020-08-24 | 4.0 MEDIUM | 2.7 LOW |
| The security audit log of SAP HANA, versions 1.0 and 2.0, does not log SELECT events if these events are part of a statement with the syntax CREATE TABLE <table_name> AS SELECT. | |||||
| CVE-2018-2499 | 1 Sap | 2 Financial Consolidation Cube Designer, Financial Consolidation Cube Designer Bobj Eades | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| A security weakness in SAP Financial Consolidation Cube Designer (BOBJ_EADES fixed in versions 8.0, 10.1) may allow an attacker to discover the password hash of an admin user. | |||||
| CVE-2018-2500 | 1 Sap | 1 Mobile Secure | 2020-08-24 | 1.9 LOW | 4.7 MEDIUM |
| Under certain conditions SAP Mobile Secure Android client (before version 6.60.19942.0 SP28 1711) allows an attacker to access information which would otherwise be restricted. | |||||
| CVE-2018-2428 | 1 Sap | 2 Infrastructure, Ui | 2020-08-24 | 5.0 MEDIUM | 5.3 MEDIUM |
| Under certain conditions SAP UI5 Handler allows an attacker to access information which would otherwise be restricted. Software components affected are: SAP Infrastructure 1.0, SAP UI 7.4, 7.5, 7.51, 7.52 and version 2.0 of SAP UI for SAP NetWeaver 7.00. | |||||
| CVE-2018-2425 | 1 Sap | 1 Business One | 2020-08-24 | 2.1 LOW | 5.5 MEDIUM |
| Under certain conditions, SAP Business One, 9.2, 9.3, for SAP HANA backup service allows an attacker to access information which would otherwise be restricted. | |||||
| CVE-2018-2417 | 1 Sap | 1 Identity Management | 2020-08-24 | 5.0 MEDIUM | 5.3 MEDIUM |
| Under certain conditions, the SAP Identity Management 8.0 (pass of type ToASCII) allows an attacker to access information which would otherwise be restricted. | |||||
| CVE-2018-2403 | 1 Sap | 1 Disclosure Management | 2020-08-24 | 4.0 MEDIUM | 6.5 MEDIUM |
| Under certain conditions, SAP Disclosure Management 10.1 allows an attacker to access information which would otherwise be restricted. It is possible for an authorized user to get SAP Disclosure Management to point a specific chapter type to a chapter the user has not been given access to. | |||||
| CVE-2019-0318 | 1 Sap | 1 Netweaver Application Server Java | 2020-08-24 | 3.5 LOW | 5.3 MEDIUM |
| Under certain conditions SAP NetWeaver Application Server for Java (Startup Framework), versions 7.21, 7.22, 7.45, 7.49, and 7.53, allows an attacker to access information which would otherwise be restricted. | |||||
| CVE-2019-0319 | 1 Sap | 2 Gateway, Ui5 | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| The SAP Gateway, versions 7.5, 7.51, 7.52 and 7.53, allows an attacker to inject content which is displayed in the form of an error message. An attacker could thus mislead a user to believe this information is from the legitimate service when it's not. | |||||
| CVE-2019-0322 | 1 Sap | 1 Commerce Cloud | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| SAP Commerce Cloud (previously known as SAP Hybris Commerce), (HY_COM, versions 6.3, 6.4, 6.5, 6.6, 6.7, 1808, 1811), allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service. | |||||
| CVE-2018-2398 | 1 Sap | 1 Business Client | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| Under certain conditions SAP Business Client 6.5 allows an attacker to access information which would otherwise be restricted. | |||||
| CVE-2019-0356 | 1 Sap | 1 Netweaver Process Integration | 2020-08-24 | 4.0 MEDIUM | 4.3 MEDIUM |
| Under certain conditions SAP NetWeaver Process Integration Runtime Workbench – MESSAGING and SAP_XIAF (before versions 7.31, 7.40, 7.50) allows an attacker to access information which would otherwise be restricted. | |||||
| CVE-2019-0357 | 1 Sap | 1 Hana | 2020-08-24 | 7.2 HIGH | 6.7 MEDIUM |
| The administrator of SAP HANA database, before versions 1.0 and 2.0, can misuse HANA to execute commands with operating system "root" privileges. | |||||
| CVE-2018-2458 | 1 Sap | 1 Business One | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| Under certain conditions, Crystal Report using SAP Business One, versions 9.2 and 9.3, connection type allows an attacker to access information which would otherwise be restricted. | |||||
| CVE-2019-0333 | 1 Sap | 1 Businessobjects Business Intelligence | 2020-08-24 | 4.0 MEDIUM | 6.5 MEDIUM |
| In some situations, when a client cancels a query in SAP BusinessObjects Business Intelligence Platform (Web Intelligence), versions 4.2, 4.3, the attacker can then query and receive the whole data set instead of just what is part of their authorized security profile, resulting in Information Disclosure. | |||||
| CVE-2018-2473 | 1 Sap | 1 Businessobjects Business Intelligence | 2020-08-24 | 4.0 MEDIUM | 6.5 MEDIUM |
| SAP BusinessObjects Business Intelligence Platform Server, versions 4.1 and 4.2, when using Web Intelligence Richclient 3 tiers mode gateway allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service. | |||||
| CVE-2019-0363 | 1 Sap | 1 Hana Extended Application Services | 2020-08-24 | 5.5 MEDIUM | 7.1 HIGH |
| Attackers may misuse an HTTP/REST endpoint of SAP HANA Extended Application Services (Advanced model), before version 1.0.118, to overload the server or retrieve information about internal network ports. | |||||
| CVE-2019-0403 | 1 Sap | 1 Enable Now | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| SAP Enable Now, before version 1911, allows an attacker to input commands into the CSV files, which will be executed when opened, leading to CSV Command Injection. | |||||
| CVE-2019-0340 | 1 Sap | 1 Enable Now | 2020-08-24 | 5.5 MEDIUM | 5.4 MEDIUM |
| The XML parser, which is being used by SAP Enable Now, before version 1902, has not been hardened correctly, leading to Missing XML Validation vulnerability. This issue affects the file upload at multiple locations. An attacker can read local XXE files. | |||||
| CVE-2019-0341 | 1 Sap | 1 Enable Now | 2020-08-24 | 4.0 MEDIUM | 8.8 HIGH |
| The session cookie used by SAP Enable Now, version 1902, does not have the HttpOnly flag set. If an attacker runs script code in the context of the application, he could get access to the session cookie. The session cookie could then be abused to gain access to the application. | |||||
| CVE-2019-0402 | 1 Sap | 1 Adaptive Server Enterprise | 2020-08-24 | 2.1 LOW | 4.4 MEDIUM |
| SAP Adaptive Server Enterprise, before versions 15.7 and 16.0, under certain conditions exposes some sensitive information to the admin, leading to Information Disclosure. | |||||
| CVE-2019-0344 | 1 Sap | 1 Commerce Cloud | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| Due to unsafe deserialization used in SAP Commerce Cloud (virtualjdbc extension), versions 6.4, 6.5, 6.6, 6.7, 1808, 1811, 1905, it is possible to execute arbitrary code on a target machine with 'Hybris' user rights, resulting in Code Injection. | |||||
| CVE-2019-0399 | 1 Sap | 1 Portfolio And Project Management | 2020-08-24 | 4.0 MEDIUM | 6.5 MEDIUM |
| SAP Portfolio and Project Management, before versions S4CORE 102, 103, EPPM 100 and CPRXRPM 500_702, 600_740, 610_740; unintentionally allows a user to discover accounting information of the Projects in Project dashboard, leading to Information Disclosure. | |||||
| CVE-2019-0346 | 1 Sap | 1 Businessobjects Business Intelligence | 2020-08-24 | 4.0 MEDIUM | 6.5 MEDIUM |
| Unencrypted communication error in SAP Business Objects Business Intelligence Platform (Central Management Console), version 4.2, leads to disclosure of list of user names and roles imported from SAP NetWeaver BI systems, resulting in Information Disclosure. | |||||
| CVE-2019-0348 | 1 Sap | 1 Businessobjects Business Intelligence | 2020-08-24 | 4.0 MEDIUM | 6.5 MEDIUM |
| SAP BusinessObjects Business Intelligence Platform (Web Intelligence), versions 4.1, 4.2, can access database with unencrypted connection, even if the quality of protection should be encrypted. | |||||
| CVE-2019-0349 | 1 Sap | 1 Advanced Business Application Programming Platform Kernel | 2020-08-24 | 6.5 MEDIUM | 7.2 HIGH |
| SAP Kernel (ABAP Debugger), versions KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.73, KERNEL 7.21, 7.49, 7.53, 7.73, 7.75, 7.76, 7.77, allows a user to execute “Go to statement” without possessing the authorization S_DEVELOP DEBUG 02, resulting in Missing Authorization Check | |||||
| CVE-2019-0391 | 1 Sap | 1 Netweaver Application Server Java | 2020-08-24 | 4.0 MEDIUM | 4.3 MEDIUM |
| Under certain conditions SAP NetWeaver AS Java (corrected in 7.10, 7.20, 7.30, 7.31, 7.40, 7.50) allows an attacker to access information which would otherwise be restricted. | |||||
| CVE-2019-0350 | 1 Sap | 1 Hana Database | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| SAP HANA Database, versions 1.0, 2.0, allows an unauthorized attacker to send a malformed connection request, which crashes the indexserver of an SAP HANA instance, leading to Denial of Service | |||||
| CVE-2019-0351 | 1 Sap | 1 Netweaver | 2020-08-24 | 6.5 MEDIUM | 8.8 HIGH |
| A remote code execution vulnerability exists in the SAP NetWeaver UDDI Server (Services Registry), versions 7.10, 7.20, 7.30, 7.31, 7.40, 7.50. Because of this, an attacker can exploit Services Registry potentially enabling them to take complete control of the product, including viewing, changing, or deleting data by injecting code into the working memory which is subsequently executed by the application. It can also be used to cause a general fault in the product, causing the product to terminate. | |||||
| CVE-2019-0389 | 1 Sap | 1 Netweaver Application Server Java | 2020-08-24 | 6.5 MEDIUM | 8.8 HIGH |
| An administrator of SAP NetWeaver Application Server Java (J2EE-Framework), (corrected in versions 7.1, 7.2, 7.3, 7.31, 7.4, 7.5), may change privileges for all or some functions in Java Server, and enable users to execute functions, they are not allowed to execute otherwise. | |||||
| CVE-2019-0353 | 1 Sap | 1 Business One Client | 2020-08-24 | 2.1 LOW | 3.3 LOW |
| Under certain conditions SAP Business One client (B1_ON_HANA, SAP-M-BO), before versions 9.2 and 9.3, allows an attacker to access information which would otherwise be restricted. | |||||
| CVE-2019-0386 | 1 Sap | 2 Erp Sales, S4hana Sales | 2020-08-24 | 6.5 MEDIUM | 6.3 MEDIUM |
| Order processing in SAP ERP Sales (corrected in SAP_APPL 6.0, 6.02, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18) and S4HANA Sales (corrected in S4CORE 1.0, 1.01, 1.02, 1.03, 1.04) does not execute the required authorization checks for an authenticated user, which can result in an escalation of privileges. | |||||
| CVE-2020-6298 | 1 Sap | 1 Generic Market Data | 2020-08-14 | 5.5 MEDIUM | 8.1 HIGH |
| SAP Banking Services (Generic Market Data), versions - 400, 450, 500, allows an unauthorized user to display protected Business Partner Generic Market Data (GMD) and change related GMD key figure values, due to Missing Authorization Check. | |||||
| CVE-2020-6284 | 1 Sap | 1 Netweaver Knowledge Management | 2020-08-14 | 8.5 HIGH | 9.0 CRITICAL |
| SAP NetWeaver (Knowledge Management), versions - 7.30, 7.31, 7.40, 7.50, allows the automatic execution of script content in a stored file due to inadequate filtering with the accessing user's privileges. If the accessing user has administrative privileges, then the execution of the script content could result in complete compromise of system confidentiality, integrity and availability, leading to Stored Cross Site Scripting. | |||||
| CVE-2020-6293 | 1 Sap | 1 Netweaver Knowledge Management | 2020-08-13 | 6.4 MEDIUM | 6.5 MEDIUM |
| SAP NetWeaver (Knowledge Management), versions - 7.30, 7.31, 7.40, 7.50, allows an unauthenticated attacker to upload a malicious file and also to access, modify or make unavailable existing files but the impact is limited to the files themselves and is restricted by other policies such as access control lists and other upload file size restrictions, leading to Unrestricted File Upload. | |||||
| CVE-2020-6273 | 1 Sap | 1 S\/4 Hana Fiori Ui For General Ledger Accounting | 2020-08-13 | 4.0 MEDIUM | 4.3 MEDIUM |
| SAP S/4 HANA (Fiori UI for General Ledger Accounting), versions 103, 104, does not perform necessary authorization checks for an authenticated user working with attachment service, allowing the attacker to delete attachments due to Missing Authorization Check. | |||||
| CVE-2020-6301 | 1 Sap | 1 Hcm Travel Management | 2020-08-13 | 5.5 MEDIUM | 8.1 HIGH |
| SAP ERP (HCM Travel Management), versions - 600, 602, 603, 604, 605, 606, 607, 608, allows an authenticated but unauthorized attacker to read, modify and settle trips, resulting in escalation of privileges, due to Missing Authorization Check. | |||||
| CVE-2020-6300 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2020-08-13 | 3.5 LOW | 4.8 MEDIUM |
| SAP Business Objects Business Intelligence Platform (Central Management Console), versions- 4.2, 4.3, allows an attacker with administrator rights can use the web application to send malicious code to a different end user (victim), as it does not sufficiently encode user-controlled inputs for RecycleBin, resulting in Stored Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2020-6267 | 1 Sap | 1 Disclosure Management | 2020-07-23 | 5.8 MEDIUM | 5.4 MEDIUM |
| Some sensitive cookies in SAP Disclosure Management, version 10.1, are missing HttpOnly flag, leading to sensitive cookie without Http Only flag. | |||||
| CVE-2020-6282 | 1 Sap | 1 Netweaver Application Server Java | 2020-07-15 | 5.0 MEDIUM | 5.8 MEDIUM |
| SAP NetWeaver AS JAVA (IIOP service) (SERVERCORE), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, and SAP NetWeaver AS JAVA (IIOP service) (CORE-TOOLS), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker to send a crafted request from a vulnerable web application. It is usually used to target internal systems behind firewalls that are normally inaccessible to an attacker from the external network, resulting in a Server-Side Request Forgery vulnerability. | |||||
| CVE-2020-6286 | 1 Sap | 1 Netweaver Application Server Java | 2020-07-15 | 5.0 MEDIUM | 5.3 MEDIUM |
| The insufficient input path validation of certain parameter in the web service of SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, allows an unauthenticated attacker to exploit a method to download zip files to a specific directory, leading to Path Traversal. | |||||
| CVE-2020-6289 | 1 Sap | 1 Disclosure Management | 2020-07-15 | 6.8 MEDIUM | 8.8 HIGH |
| SAP Disclosure Management, version 10.1, had insufficient protection against Cross-Site Request Forgery, which could be used to trick user in to browsing malicious site. | |||||
| CVE-2020-6291 | 1 Sap | 1 Disclosure Management | 2020-07-14 | 6.5 MEDIUM | 8.8 HIGH |
| SAP Disclosure Management, version 10.1, session mechanism does not have expiration data set therefore allows unlimited access after authenticating once, leading to Insufficient Session Expiration | |||||
| CVE-2020-6292 | 1 Sap | 1 Disclosure Management | 2020-07-14 | 6.5 MEDIUM | 8.8 HIGH |
| Logout mechanism in SAP Disclosure Management, version 10.1, does not invalidate one of the session cookies, leading to Insufficient Session Expiration. | |||||