Filtered by vendor Sap
Subscribe
Search
Total
1171 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-2397 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2019-10-09 | 3.5 LOW | 5.4 MEDIUM |
| In SAP Business Objects Business Intelligence Platform, 4.00, 4.10, 4.20, 4.30, the Central Management Console (CMC) does not sufficiently encode user controlled inputs which results in Cross-Site Scripting. | |||||
| CVE-2018-2422 | 1 Sap | 1 Internet Graphics Server | 2019-10-09 | 5.0 MEDIUM | 7.5 HIGH |
| SAP Internet Graphics Server (IGS) Portwatcher, 7.20, 7.20EXT, 7.45, 7.49, 7.53, allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service. | |||||
| CVE-2018-2423 | 1 Sap | 1 Internet Graphics Server | 2019-10-09 | 5.0 MEDIUM | 7.5 HIGH |
| SAP Internet Graphics Server (IGS), 7.20, 7.20EXT, 7.45, 7.49, 7.53, HTTP and RFC listener allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service. | |||||
| CVE-2018-2399 | 1 Sap | 1 Process Monitoring Infrastructure | 2019-10-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-Site Scripting in Process Monitoring Infrastructure, from 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, due to inefficient encoding of user controlled inputs. | |||||
| CVE-2018-2402 | 1 Sap | 1 Hana | 2019-10-09 | 3.5 LOW | 8.4 HIGH |
| In systems using the optional capture & replay functionality of SAP HANA, 1.00 and 2.00, (see SAP Note 2362820 for more information about capture & replay), user credentials may be stored in clear text in the indexserver trace files of the control system. An attacker with the required authorizations on the control system may be able to access the user credentials and gain unauthorized access to data in the captured or target system. | |||||
| CVE-2018-2404 | 1 Sap | 1 Disclosure Management | 2019-10-09 | 7.5 HIGH | 9.8 CRITICAL |
| SAP Disclosure Management 10.1 allows an attacker to upload any file without proper file format validation. | |||||
| CVE-2018-2405 | 1 Sap | 1 Solution Manager | 2019-10-09 | 3.5 LOW | 5.4 MEDIUM |
| SAP Solution Manager, 7.10, 7.20, Incident Management Work Center allows an attacker to upload a malicious script as an attachment and this could lead to possible Cross-Site Scripting. | |||||
| CVE-2018-2406 | 1 Sap | 1 Crystal Reports Server | 2019-10-09 | 4.6 MEDIUM | 5.3 MEDIUM |
| Unquoted windows search path (directory/path traversal) vulnerability in Crystal Reports Server, OEM Edition (CRSE), 4.0, 4.10, 4.20, 4.30, startup path. | |||||
| CVE-2018-2408 | 1 Sap | 1 Businessobjects | 2019-10-09 | 7.5 HIGH | 7.3 HIGH |
| Improper Session Management in SAP Business Objects, 4.0, from 4.10, from 4.20, 4.30, CMC/BI Launchpad/Fiorified BI Launchpad. In case of password change for a user, all other active sessions created using older password continues to be active. | |||||
| CVE-2018-2409 | 1 Sap | 1 Cloud Platform | 2019-10-09 | 6.5 MEDIUM | 8.8 HIGH |
| Improper session management when using SAP Cloud Platform 2.0 (Connectivity Service and Cloud Connector). Under certain conditions, data of some other user may be shown or modified when using an application built on top of SAP Cloud Platform. | |||||
| CVE-2018-2424 | 1 Sap | 4 Hana Database, Ui, Ui5 and 1 more | 2019-10-09 | 5.0 MEDIUM | 7.5 HIGH |
| SAP UI5 did not validate user input before adding it to the DOM structure. This may lead to malicious user-provided JavaScript code being added to the DOM that could steal user information. Software components affected are: SAP Hana Database 1.00, 2.00; SAP UI5 1.00; SAP UI5 (Java) 7.30, 7.31, 7.40, 7,50; SAP UI 7.40, 7.50, 7.51, 7.52, and version 2.0 of SAP UI for SAP NetWeaver 7.00 | |||||
| CVE-2018-2412 | 1 Sap | 1 Disclosure Management | 2019-10-09 | 6.5 MEDIUM | 8.8 HIGH |
| SAP Disclosure Management 10.1 does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. | |||||
| CVE-2018-2413 | 1 Sap | 1 Disclosure Management | 2019-10-09 | 6.5 MEDIUM | 8.8 HIGH |
| SAP Disclosure Management 10.1 does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. | |||||
| CVE-2018-2415 | 1 Sap | 2 J2ee Engine Server Core, Netweaver Java Web Container And Http Service Engine | 2019-10-09 | 4.3 MEDIUM | 4.7 MEDIUM |
| SAP NetWeaver Application Server Java Web Container and HTTP Service (Engine API, from 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50; J2EE Engine Server Core 7.11, 7.30, 7.31, 7.40, 7.50) do not sufficiently encode user controlled inputs, resulting in a content spoofing vulnerability when error pages are displayed. | |||||
| CVE-2018-2418 | 1 Sap | 1 Maxdb Odbc Driver | 2019-10-09 | 7.5 HIGH | 9.8 CRITICAL |
| SAP MaxDB ODBC driver (all versions before 7.9.09.07) allows an attacker to inject code that can be executed by the application. An attacker could thereby control the behavior of the application. | |||||
| CVE-2018-2419 | 1 Sap | 3 Ea-finserv, S4core, Sapscore | 2019-10-09 | 5.5 MEDIUM | 4.6 MEDIUM |
| SAP Enterprise Financial Services (SAPSCORE 1.11, 1.12; S4CORE 1.01, 1.02; EA-FINSERV 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. | |||||
| CVE-2018-2420 | 1 Sap | 1 Internet Graphics Server | 2019-10-09 | 7.5 HIGH | 9.8 CRITICAL |
| SAP Internet Graphics Server (IGS), 7.20, 7.20EXT, 7.45, 7.49, 7.53, allows an attacker to upload any file (including script files) without proper file format validation. | |||||
| CVE-2015-2107 | 2 Hp, Sap | 2 Operations Manager I Management Pack, Netweaver | 2019-10-09 | 6.8 MEDIUM | N/A |
| HP Operations Manager i Management Pack 1.x before 1.01 for SAP allows local users to execute OS commands by leveraging SAP administrative privileges. | |||||
| CVE-2017-6950 | 1 Sap | 1 Gui For Windows | 2019-10-03 | 7.5 HIGH | 9.8 CRITICAL |
| SAP GUI 7.2 through 7.5 allows remote attackers to bypass intended security policy restrictions and execute arbitrary code via a crafted ABAP code, aka SAP Security Note 2407616. | |||||
| CVE-2018-2455 | 1 Sap | 1 Enterprise Financial Services | 2019-10-03 | 6.5 MEDIUM | 8.8 HIGH |
| SAP Enterprise Financial Services, versions 6.05, 6.06, 6.16, 6.17, 6.18, 8.0 (in business function EAFS_BCA_BUSOPR_SEPA) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. | |||||
| CVE-2018-2454 | 1 Sap | 1 Enterprise Financial Services | 2019-10-03 | 6.5 MEDIUM | 8.8 HIGH |
| SAP Enterprise Financial Services, versions 6.05, 6.06, 6.16, 6.17, 6.18, 8.0 (in business function EAFS_BCA_BUSOPR_2) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. | |||||
| CVE-2018-2434 | 1 Sap | 3 Netweaver, Ui Infra, User Interface Technology | 2019-10-03 | 4.3 MEDIUM | 4.3 MEDIUM |
| A content spoofing vulnerability in the following components allows to render html pages containing arbitrary plain text content, which might fool an end user: UI add-on for SAP NetWeaver (UI_Infra, 1.0), SAP UI Implementation for Decoupled Innovations (UI_700, 2.0): SAP NetWeaver 7.00 Implementation, SAP User Interface Technology (SAP_UI 7.4, 7.5, 7.51, 7.52). There is little impact as it is not possible to embed active contents such as JavaScript or hyperlinks. | |||||
| CVE-2018-2438 | 1 Sap | 1 Internet Graphics Server | 2019-10-03 | 5.0 MEDIUM | 7.5 HIGH |
| The SAP Internet Graphics Server (IGS), 7.20, 7.20EXT, 7.45, 7.49, 7.53, has several denial-of-service vulnerabilities that allow an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service. | |||||
| CVE-2018-2436 | 1 Sap | 1 R\/3 Enterprise Retail | 2019-10-03 | 6.5 MEDIUM | 8.8 HIGH |
| Executing transaction WRCK in SAP R/3 Enterprise Retail (EHP6) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. | |||||
| CVE-2017-9843 | 1 Sap | 1 Netweaver Abap | 2019-10-03 | 4.0 MEDIUM | 6.5 MEDIUM |
| SAP NetWeaver AS ABAP 7.40 allows remote authenticated users with certain privileges to cause a denial of service (process crash) via vectors involving disp+work.exe, aka SAP Security Note 2406841. | |||||
| CVE-2017-8915 | 1 Sap | 1 Hana Xs | 2019-10-03 | 5.0 MEDIUM | 7.5 HIGH |
| sinopia, as used in SAP HANA XS 1.00 and 2.00, allows remote attackers to cause a denial of service (assertion failure and service crash) by pushing a package with a filename containing a $ (dollar sign) or % (percent) character, aka SAP Security Note 2407694. | |||||
| CVE-2017-8914 | 1 Sap | 1 Hana Xs | 2019-10-03 | 7.5 HIGH | 8.3 HIGH |
| sinopia, as used in SAP HANA XS 1.00 and 2.00, allows remote attackers to hijack npm packages or host arbitrary files by leveraging an insecure user creation policy, aka SAP Security Note 2407694. | |||||
| CVE-2017-7696 | 1 Sap | 1 Sso Authentication Library | 2019-10-03 | 5.0 MEDIUM | 7.5 HIGH |
| SAP AS JAVA SSO Authentication Library 2.0 through 3.0 allow remote attackers to cause a denial of service (memory consumption) via large values in the width and height parameters to otp_logon_ui_resources/qr, aka SAP Security Note 2389042. | |||||
| CVE-2017-5997 | 1 Sap | 1 Sap Kernel | 2019-10-03 | 5.0 MEDIUM | 7.5 HIGH |
| The SAP Message Server HTTP daemon in SAP KERNEL 7.21-7.49 allows remote attackers to cause a denial of service (memory consumption and process crash) via multiple msgserver/group?group= requests with a crafted size of the group parameter, aka SAP Security Note 2358972. | |||||
| CVE-2018-2459 | 1 Sap | 1 Mobile Platform | 2019-10-03 | 5.0 MEDIUM | 7.5 HIGH |
| Users of an SAP Mobile Platform (version 3.0) Offline OData application, which uses Offline OData-supplied delta tokens (which is on by default), occasionally receive some data values of a different user. | |||||
| CVE-2018-2494 | 1 Sap | 1 Business Application Software Integrated Solution | 2019-10-03 | 6.5 MEDIUM | 8.0 HIGH |
| Necessary authorization checks for an authenticated user, resulting in escalation of privileges, have been fixed in SAP Basis AS ABAP of SAP NetWeaver 700 to 750, from 750 onwards delivered as ABAP Platform. | |||||
| CVE-2017-15295 | 1 Sap | 1 Point Of Sale Xpress Server | 2019-10-03 | 10.0 HIGH | 9.8 CRITICAL |
| Xpress Server in SAP POS does not require authentication for read/write/delete file access. This is SAP Security Note 2520064. | |||||
| CVE-2018-2490 | 1 Sap | 1 Fiori Client | 2019-10-03 | 6.8 MEDIUM | 7.8 HIGH |
| The broadcast messages received by SAP Fiori Client are not protected by permissions. SAP Fiori Client version 1.11.5 in Google Play store addresses these issues and users must update to that version. | |||||
| CVE-2018-2481 | 1 Sap | 1 Advanced Business Application Programming | 2019-10-03 | 6.5 MEDIUM | 7.2 HIGH |
| In some SAP standard roles, in SAP_ABA versions, 7.00 to 7.02, 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50, 75C to 75D, a transaction code reserved for customer is used. By implementing such transaction code a malicious user may execute unauthorized transaction functionality. | |||||
| CVE-2018-2461 | 1 Sap | 1 People Profile | 2019-10-03 | 6.5 MEDIUM | 8.8 HIGH |
| Missing authorization check in SAP HCM Fiori "People Profile" (GBX01 HR version 6.0) for an authenticated user which may result in an escalation of privileges. | |||||
| CVE-2017-15293 | 1 Sap | 1 Point Of Sale Xpress Server | 2019-10-03 | 10.0 HIGH | 9.8 CRITICAL |
| Xpress Server in SAP POS does not require authentication for file read and erase operations, daemon shutdown, terminal read operations, or certain attacks on credentials. This is SAP Security Note 2520064. | |||||
| CVE-2018-2381 | 1 Sap | 1 Erp Financials Information System | 2019-10-03 | 6.5 MEDIUM | 8.8 HIGH |
| SAP ERP Financials Information System (SAP_APPL 6.00, 6.02, 6.03, 6.04, 6.05, 6.06, 6.16; SAP_FIN 6.17, 6.18, 7.00, 7.20, 7.30 S4CORE 1.00, 1.01, 1.02) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. | |||||
| CVE-2018-2361 | 1 Sap | 1 Solution Manager | 2019-10-03 | 6.5 MEDIUM | 8.8 HIGH |
| In SAP Solution Manager 7.20, the role SAP_BPO_CONFIG gives the Business Process Operations (BPO) configuration user more authorization than required for configuring the BPO tools. | |||||
| CVE-2018-2391 | 1 Sap | 1 Internet Graphics Server | 2019-10-03 | 4.0 MEDIUM | 6.5 MEDIUM |
| Under certain conditions a malicious user can prevent legitimate users from accessing the SAP Internet Graphics Server (IGS), 7.20, 7.20EXT, 7.45, 7.49, 7.53, via IGS portwatcher service. | |||||
| CVE-2018-2489 | 1 Sap | 1 Fiori Client | 2019-10-03 | 6.8 MEDIUM | 7.8 HIGH |
| Locally, without any permission, an arbitrary android application could delete the SSO configuration of SAP Fiori Client. SAP Fiori Client version 1.11.5 in Google Play store addresses these issues and users must update to that version. | |||||
| CVE-2018-2390 | 1 Sap | 1 Internet Graphics Server | 2019-10-03 | 4.0 MEDIUM | 6.5 MEDIUM |
| Under certain conditions a malicious user can prevent legitimate users from accessing the SAP Internet Graphics Server (IGS), 7.20, 7.20EXT, 7.45, 7.49, 7.53, via IGS Chart service. | |||||
| CVE-2018-2485 | 1 Sap | 1 Fiori Client | 2019-10-03 | 6.4 MEDIUM | 7.7 HIGH |
| It is possible for a malicious application or malware to execute JavaScript in a SAP Fiori application. This can include reading and writing of information and calling device specific JavaScript APIs in the application. SAP Fiori Client version 1.11.5 in Google Play store addresses these issues and users must update to that version. | |||||
| CVE-2018-2394 | 1 Sap | 1 Internet Graphics Server | 2019-10-03 | 5.0 MEDIUM | 6.5 MEDIUM |
| Under certain conditions an unauthenticated malicious user can prevent legitimate users from accessing the SAP Internet Graphics Server (IGS), 7.20, 7.20EXT, 7.45, 7.49, 7.53, services and/or system files. | |||||
| CVE-2018-2396 | 1 Sap | 1 Internet Graphics Server | 2019-10-03 | 4.0 MEDIUM | 6.5 MEDIUM |
| Under certain conditions a malicious user can prevent legitimate users from accessing the SAP Internet Graphics Server (IGS), 7.20, 7.20EXT, 7.45, 7.49, 7.53, using IGS Interpreter service. | |||||
| CVE-2019-0355 | 1 Sap | 1 Netweaver Application Server Java | 2019-09-11 | 6.5 MEDIUM | 7.2 HIGH |
| SAP NetWeaver Application Server Java Web Container, ENGINEAPI (before versions 7.10, 7.20, 7.30, 7.31, 7.40, 7.50) and SAP-JEECOR (before versions 6.40, 7.0, 7.01), allows an attacker to inject code that can be executed by the application. An attacker could thereby control the behaviour of the application. | |||||
| CVE-2019-0361 | 1 Sap | 1 Supplier Relationship Management | 2019-09-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP Supplier Relationship Management (Master Data Management Catalog - SRM_MDM_CAT, before versions 3.73, 7.31, 7.32) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2019-0352 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2019-09-11 | 5.0 MEDIUM | 7.5 HIGH |
| In SAP Business Objects Business Intelligence Platform, before versions 4.1, 4.2 and 4.3, some dynamic pages (like jsp) are cached, which leads to an attacker can see the sensitive information via cache and can open the dynamic pages even after logout. | |||||
| CVE-2016-6858 | 1 Sap | 1 Hybris | 2019-08-27 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the Create Employee feature in Hybris Management Console (HMC) in SAP Hybris before 5.0.4.11, 5.1.0.x before 5.1.0.11, 5.1.1.x before 5.1.1.12, 5.2.0.x and 5.3.0.x before 5.3.0.10, 5.4.x before 5.4.0.9, 5.5.0.x before 5.5.0.9, 5.5.1.x before 5.5.1.10, 5.6.x before 5.6.0.8, and 5.7.x before 5.7.0.9 allows remote authenticated users to inject arbitrary web script or HTML via the Name field. | |||||
| CVE-2014-8871 | 1 Sap | 1 Hybris | 2019-08-27 | 5.0 MEDIUM | 7.5 HIGH |
| Directory traversal vulnerability in hybris Commerce software suite 5.0.3.3 and earlier, 5.0.0.3 and earlier, 5.0.4.4 and earlier, 5.1.0.1 and earlier, 5.1.1.2 and earlier, 5.2.0.3 and earlier, and 5.3.0.1 and earlier. | |||||
| CVE-2019-0338 | 1 Sap | 1 Gateway | 2019-08-26 | 5.0 MEDIUM | 5.3 MEDIUM |
| During an OData V2/V4 request in SAP Gateway, versions 750, 751, 752, 753, the HTTP Header attributes cache-control and pragma were not properly set, allowing an attacker to access restricted information, resulting in Information Disclosure. | |||||