Filtered by vendor Sap
Subscribe
Search
Total
1171 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-15296 | 1 Sap | 1 Customer Relationship Management | 2018-12-10 | 6.8 MEDIUM | 8.8 HIGH |
| The Java component in SAP CRM has CSRF. This is SAP Security Note 2478964. | |||||
| CVE-2013-7096 | 1 Sap | 1 Emr Unwired | 2018-12-10 | 7.5 HIGH | N/A |
| Multiple SQL injection vulnerabilities in SAP EMR Unwired allow remote attackers to execute arbitrary SQL commands via unspecified vectors. | |||||
| CVE-2017-11460 | 1 Sap | 1 Netweaver Portal | 2018-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the DataArchivingService servlet in SAP NetWeaver Portal 7.4 allows remote attackers to inject arbitrary web script or HTML via the responsecode parameter to shp/shp_result.jsp, aka SAP Security Note 2308535. | |||||
| CVE-2017-11459 | 1 Sap | 1 Trex | 2018-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| SAP TREX 7.10 allows remote attackers to (1) read arbitrary files via an fget command or (2) write to arbitrary files and consequently execute arbitrary code via an fdir command, aka SAP Security Note 2419592. | |||||
| CVE-2014-1960 | 1 Sap | 2 Netweaver, Netweaver Solution Manager | 2018-12-10 | 5.0 MEDIUM | N/A |
| The Solution Manager in SAP NetWeaver does not properly restrict access, which allows remote attackers to obtain sensitive information via unspecified vectors. | |||||
| CVE-2014-1961 | 1 Sap | 1 Netweaver | 2018-12-10 | 5.0 MEDIUM | N/A |
| Unspecified vulnerability in the Portal WebDynPro in SAP NetWeaver allows remote attackers to obtain sensitive path information via unknown attack vectors. | |||||
| CVE-2014-1962 | 1 Sap | 1 Customer Relationship Management | 2018-12-10 | 5.0 MEDIUM | N/A |
| Gwsync in SAP CRM 7.02 EHP 2 allows remote attackers to obtain sensitive information via unspecified vectors, related to an XML External Entity (XXE) issue. | |||||
| CVE-2014-1963 | 1 Sap | 1 Netweaver | 2018-12-10 | 5.0 MEDIUM | N/A |
| Unspecified vulnerability in Message Server in SAP NetWeaver 7.20 allows remote attackers to cause a denial of service via unknown attack vectors. | |||||
| CVE-2014-1964 | 1 Sap | 2 Netweaver, Netweaver Exchange Infrastructure \(bc-xi\) | 2018-12-10 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the Integration Repository in the SAP Exchange Infrastructure (BC-XI) component in SAP NetWeaver allows remote attackers to inject arbitrary web script or HTML via vectors related to the ESR application and a DIR error. | |||||
| CVE-2016-6818 | 1 Sap | 1 Business Intelligence Platform | 2018-12-10 | 10.0 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in SAP Business Intelligence platform before January 2017 allows remote attackers to obtain sensitive information, modify data, cause a denial of service (data deletion), or launch administrative operations or possibly OS commands via a crafted SQL query. The vendor response is SAP Security Note 2361633. | |||||
| CVE-2014-1965 | 1 Sap | 1 Netweaver | 2018-12-10 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in ISpeakAdapter in the Integration Repository in the SAP Exchange Infrastructure (BC-XI) component 3.0, 7.00 through 7.02, and 7.10 through 7.11 for SAP NetWeaver allows remote attackers to inject arbitrary web script or HTML via vectors related to PIP. | |||||
| CVE-2014-6252 | 1 Sap | 1 Netweaver | 2018-12-10 | 6.5 MEDIUM | N/A |
| Buffer overflow in disp+work.exe 7000.52.12.34966 and 7200.117.19.50294 in the Dispatcher in SAP NetWeaver 7.00 and 7.20 allows remote authenticated users to cause a denial of service or execute arbitrary code via unspecified vectors. | |||||
| CVE-2014-8588 | 1 Sap | 1 Hana | 2018-12-10 | 7.5 HIGH | N/A |
| SQL injection vulnerability in metadata.xsjs in SAP HANA 1.00.60.379371 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | |||||
| CVE-2014-8589 | 1 Sap | 1 Network Interface Router | 2018-12-10 | 5.0 MEDIUM | N/A |
| Integer overflow in SAP Network Interface Router (SAProuter) 40.4 allows remote attackers to cause a denial of service (resource consumption) via crafted requests. | |||||
| CVE-2014-8590 | 1 Sap | 1 Netweaver Java Application Server | 2018-12-10 | 4.3 MEDIUM | N/A |
| XML external entity (XXE) vulnerability in the Web Service Navigator in SAP NetWeaver Application Server (AS) Java allows remote attackers to access arbitrary files via a crafted request. | |||||
| CVE-2014-8591 | 1 Sap | 1 Netweaver | 2018-12-10 | 5.0 MEDIUM | N/A |
| Unspecified vulnerability in SAP Internet Communication Manager (ICM), as used in SAP NetWeaver 7.02 and 7.3, allows remote attackers to cause a denial of service (process termination) via unknown vectors. | |||||
| CVE-2014-8592 | 1 Sap | 1 Netweaver | 2018-12-10 | 5.0 MEDIUM | N/A |
| Unspecified vulnerability in SAP Host Agent, as used in SAP NetWeaver 7.02 and 7.3, allows remote attackers to cause a denial of service (process termination) via a crafted request. | |||||
| CVE-2014-8659 | 1 Sap | 1 Environment Health And Safety | 2018-12-10 | 5.0 MEDIUM | N/A |
| Directory traversal vulnerability in SAP Environment, Health, and Safety allows remote attackers to read arbitrary files via unspecified vectors. | |||||
| CVE-2014-8660 | 1 Sap | 1 Document Management Services | 2018-12-10 | 7.2 HIGH | N/A |
| SAP Document Management Services allows local users to execute arbitrary commands via unspecified vectors. | |||||
| CVE-2014-9594 | 1 Sap | 1 Sap Kernel | 2018-12-10 | 6.5 MEDIUM | N/A |
| Buffer overflow in the SAP NetWeaver Dispatcher in SAP Kernel 7.00 32-bit and 7.40 64-bit allows remote authenticated users to cause a denial of service or possibly execute arbitrary code via unspecified vectors, related to the ABAP VM, aka SAP Note 2059734. | |||||
| CVE-2014-9595 | 1 Sap | 1 Sap Kernel | 2018-12-10 | 6.5 MEDIUM | N/A |
| Buffer overflow in the SAP NetWeaver Dispatcher in SAP Kernel 7.00 32-bit and 7.40 64-bit allows remote authenticated users to cause a denial of service or possibly execute arbitrary code via unspecified vectors, related to the Spool System, aka SAP Note 2061271. | |||||
| CVE-2015-1309 | 1 Sap | 1 Netweaver Abap | 2018-12-10 | 5.0 MEDIUM | N/A |
| XML external entity vulnerability in the Extended Computer Aided Test Tool (eCATT) in SAP NetWeaver AS ABAP 7.31 and earlier allows remote attackers to access arbitrary files via a crafted XML request, related to ECATT_DISPLAY_XMLSTRING_REMOTE, aka SAP Note 2016638. | |||||
| CVE-2016-4018 | 1 Sap | 1 Hana | 2018-12-10 | 7.5 HIGH | 7.3 HIGH |
| The Data Provisioning Agent (aka DP Agent) in SAP HANA does not properly restrict access to service functionality, which allows remote attackers to obtain sensitive information, gain privileges, and conduct unspecified other attacks via unspecified vectors, aka SAP Security Note 2262742. | |||||
| CVE-2016-4017 | 1 Sap | 1 Hana | 2018-12-10 | 5.0 MEDIUM | 7.5 HIGH |
| The Data Provisioning Agent (aka DP Agent) in SAP HANA allows remote attackers to cause a denial of service (process crash) via unspecified vectors, aka SAP Security Note 2262710. | |||||
| CVE-2016-4016 | 1 Sap | 1 Java As | 2018-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in SAP Manufacturing Integration and Intelligence (aka MII, formerly xMII) 15 allows remote attackers to inject arbitrary web script or HTML via the title parameter to webdynpro/resources/sap.com/xapps~xmii~ui~admin~navigation/NavigationApplication, aka SAP Security Note 2201295. | |||||
| CVE-2016-4015 | 1 Sap | 1 Netweaver | 2018-12-10 | 5.0 MEDIUM | 7.5 HIGH |
| The Enqueue Server in SAP NetWeaver JAVA AS 7.1 through 7.4 allows remote attackers to cause a denial of service (process crash) via a crafted request, aka SAP Security Note 2258784. | |||||
| CVE-2016-4014 | 1 Sap | 1 Netweaver | 2018-12-10 | 9.0 HIGH | 8.6 HIGH |
| XML external entity (XXE) vulnerability in the UDDI component in SAP NetWeaver JAVA AS 7.4 allows remote attackers to cause a denial of service (system hang) via a crafted DTD in an XML request to uddi/api/replication, aka SAP Security Note 2254389. | |||||
| CVE-2018-2463 | 1 Sap | 1 Hybris | 2018-11-29 | 5.0 MEDIUM | 8.6 HIGH |
| The Omni Commerce Connect API (OCC) of SAP Hybris Commerce, versions 6.*, is vulnerable to server-side request forgery (SSRF) attacks. This is due to a misconfiguration of XML parser that is used in the server-side implementation of OCC. | |||||
| CVE-2018-2462 | 1 Sap | 1 Netweaver | 2018-11-26 | 6.5 MEDIUM | 8.8 HIGH |
| In certain cases, BEx Web Java Runtime Export Web Service in SAP NetWeaver BI 7.30, 7.31. 7.40, 7.41, 7.50, does not sufficiently validate an XML document accepted from an untrusted source. | |||||
| CVE-2018-2470 | 1 Sap | 1 Netweaver | 2018-11-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| In SAP NetWeaver Application Server for ABAP, from 7.0 to 7.02, 7.30, 7.31, 7.40 and from 7.50 to 7.53, applications do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2018-2472 | 1 Sap | 1 Businessobjects Bi Platform | 2018-11-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP BusinessObjects Business Intelligence Platform 4.10 and 4.20 (Web Intelligence DHTML client) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2018-2479 | 1 Sap | 1 Businessobjects Bi Platform | 2018-11-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP BusinessObjects Business Intelligence Platform (BIWorkspace), versions 4.1 and 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2018-2466 | 1 Sap | 1 Data Services | 2018-11-23 | 3.5 LOW | 5.4 MEDIUM |
| In Impact and Lineage Analysis in SAP Data Services, version 4.2, the management console does not sufficiently validate user-controlled inputs, which results in Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2018-2465 | 1 Sap | 1 Hana | 2018-11-20 | 5.0 MEDIUM | 7.5 HIGH |
| SAP HANA (versions 1.0 and 2.0) Extended Application Services classic model OData parser does not sufficiently validate XML. By exploiting, an unauthorized hacker can cause the database server to crash. | |||||
| CVE-2018-2460 | 1 Sap | 1 Business One | 2018-11-16 | 4.3 MEDIUM | 5.9 MEDIUM |
| SAP Business One Android application, version 1.2, does not verify the certificate properly for HTTPS connection. This allows attacker to do MITM attack. | |||||
| CVE-2018-2464 | 1 Sap | 1 Netweaver | 2018-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP WebDynpro Java, versions 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs, resulting in a stored Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2006-0732 | 1 Sap | 1 Business Connector | 2018-10-19 | 6.4 MEDIUM | N/A |
| Directory traversal vulnerability in SAP Business Connector (BC) 4.6 and 4.7 allows remote attackers to read or delete arbitrary files via the fullName parameter to (1) sapbc/SAP/chopSAPLog.dsp or (2) invoke/sap.monitor.rfcTrace/deleteSingle. Details will be updated after the grace period has ended. NOTE: SAP Business Connector is an OEM version of webMethods Integration Server. webMethods states that this issue can only occur when the product is installed as root/admin, and if the attacker has access to a general purpose port; however, both are discouraged in the documentation. In addition, the attacker must already have acquired administrative privileges through other means. | |||||
| CVE-2006-0731 | 1 Sap | 1 Business Connector | 2018-10-19 | 4.0 MEDIUM | N/A |
| WmRoot/adapter-index.dsp in SAP Business Connector Core Fix 7 and earlier allows remote attackers to conduct spoofing (phishing) attacks via an absolute URL in the url parameter, which loads the URL inside a frame. | |||||
| CVE-2005-4815 | 1 Sap | 1 Sap R 3 | 2018-10-19 | 7.5 HIGH | N/A |
| SAP 6.4 before 6.40 patch 4, 6.2 before 6.20 patch 1364, 4.6 before 4.6D patch 1767, 45 before 45B patch 913, 40 before 40B patch 1008, and 31 before 31I patch 735 do not properly restrict process execution by lnaxdm/sapsys, which allows remote attackers to execute arbitrary code via a certain UDP packet that ends with the name of a local executable file, aka the "FX SAP R/3 gwrd vuln." | |||||
| CVE-2003-1035 | 1 Sap | 2 Sap R 3, Sapgui | 2018-10-19 | 7.5 HIGH | N/A |
| The default installation of SAP R/3 46C/D allows remote attackers to bypass account locking by using the RFC API instead of the SAPGUI to conduct a brute force password guessing attack, which does not lock out the account like the SAPGUI does. | |||||
| CVE-2006-2547 | 1 Sap | 1 Sapdba | 2018-10-18 | 10.0 HIGH | N/A |
| Unspecified vulnerability in the sapdba command in SAP with Informix before 700, and 700 up to patch 100, allows local users to execute arbitrary commands via unknown vectors related to "insecure environment variable" handling. | |||||
| CVE-2006-1039 | 1 Sap | 1 Sap Web Application Server | 2018-10-18 | 6.4 MEDIUM | N/A |
| SAP Web Application Server (WebAS) Kernel before 7.0 allows remote attackers to inject arbitrary bytes into the HTTP response and obtain sensitive authentication information, or have other impacts, via a ";%20" followed by encoded HTTP headers. | |||||
| CVE-2006-6346 | 1 Sap | 1 Internet Graphics Server | 2018-10-17 | 10.0 HIGH | N/A |
| Unspecified vulnerability in SAP Internet Graphics Service (IGS) 6.40 Patchlevel 15 and earlier, and 7.00 Patchlevel 3 and earlier, allows remote attackers to cause a denial of service (service shutdown), obtain sensitive information (configuration files), and conduct certain other unauthorized activities, related to "Undocumented Features." NOTE: it is possible that there are multiple issues. This information is based upon a vague initial disclosure. Details will be updated after the grace period has ended. This is likely a different issue than CVE-2006-4134. | |||||
| CVE-2006-6345 | 1 Sap | 1 Internet Graphics Server | 2018-10-17 | 7.5 HIGH | N/A |
| Directory traversal vulnerability in SAP Internet Graphics Service (IGS) 6.40 Patchlevel 16 and earlier, and 7.00 Patchlevel 6 and earlier, allows remote attackers to delete arbitrary files via directory traversal sequences in an HTTP request. NOTE: This information is based upon an initial disclosure. Details will be updated after the grace period has ended. This issue is different from CVE-2006-4133 and CVE-2006-4134. | |||||
| CVE-2006-6011 | 1 Sap | 1 Sap Web Application Server | 2018-10-17 | 5.0 MEDIUM | N/A |
| Unspecified vulnerability in SAP Web Application Server before 6.40 patch 6 allows remote attackers to cause a denial of service (enserver.exe crash) via a certain UDP packet to port 64999, aka "two bytes UDP crash," a different vulnerability than CVE-2006-5785. | |||||
| CVE-2006-6010 | 1 Sap | 1 Sap Web Application Server | 2018-10-17 | 5.0 MEDIUM | N/A |
| SAP allows remote attackers to obtain potentially sensitive information such as operating system and SAP version via an RFC_SYSTEM_INFO RfcCallReceive request, a different vulnerability than CVE-2003-0747. | |||||
| CVE-2006-5784 | 1 Sap | 1 Sap Web Application Server | 2018-10-17 | 4.6 MEDIUM | N/A |
| Unspecified vulnerability in enserver.exe in SAP Web Application Server 6.40 before patch 136 and 7.00 before patch 66 allows remote attackers to read arbitrary files via crafted data on a "3200+SYSNR" TCP port, as demonstrated by port 3201. NOTE: this issue can be leveraged by local users to access a named pipe as the SAPServiceJ2E user. | |||||
| CVE-2006-5785 | 1 Sap | 1 Sap Web Application Server | 2018-10-17 | 5.0 MEDIUM | N/A |
| Unspecified vulnerability in SAP Web Application Server 6.40 before patch 136 and 7.00 before patch 66 allows remote attackers to cause a denial of service (enserver.exe crash) via a 0x72F2 sequence on UDP port 64999. | |||||
| CVE-2006-5114 | 1 Sap | 1 Internet Transaction Server | 2018-10-17 | 6.8 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in wgate in SAP Internet Transaction Server (ITS) 6.1 and 6.2 allow remote attackers to inject arbitrary web script or HTML via the (1) ~urlmime or (2) ~command parameter, different vectors than CVE-2003-0749. | |||||
| CVE-2006-4134 | 1 Sap | 1 Internet Graphics Server | 2018-10-17 | 5.0 MEDIUM | N/A |
| Unspecified vulnerability related to a "design flaw" in SAP Internet Graphics Service (IGS) 6.40 and earlier and 7.00 and earlier allows remote attackers to cause a denial of service (service shutdown) via certain HTTP requests. NOTE: This information is based upon a vague initial disclosure. Details will be updated after the grace period has ended. | |||||