Filtered by vendor Sap
Subscribe
Search
Total
1171 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-37484 | 1 Sap | 1 Powerdesigner | 2023-08-09 | N/A | 5.3 MEDIUM |
| SAP PowerDesigner - version 16.7, queries all password hashes in the backend database and compares it with the user provided one during login attempt, which might allow an attacker to access password hashes from the client's memory. | |||||
| CVE-2023-37487 | 1 Sap | 1 Business One | 2023-08-09 | N/A | 5.3 MEDIUM |
| SAP Business One (Service Layer) - version 10.0, allows an authenticated attacker with deep knowledge perform certain operation to access unintended data over the network which could lead to high impact on confidentiality with no impact on integrity and availability of the application | |||||
| CVE-2023-37490 | 1 Sap | 1 Businessobjects Business Intelligence | 2023-08-09 | N/A | 9.0 CRITICAL |
| SAP Business Objects Installer - versions 420, 430, allows an authenticated attacker within the network to overwrite an executable file created in a temporary directory during the installation process. On replacing this executable with a malicious file, an attacker can completely compromise the confidentiality, integrity, and availability of the system | |||||
| CVE-2023-37483 | 1 Sap | 1 Powerdesigner | 2023-08-09 | N/A | 9.8 CRITICAL |
| SAP PowerDesigner - version 16.7, has improper access control which might allow an unauthenticated attacker to run arbitrary queries against the back-end database via Proxy. | |||||
| CVE-2023-37492 | 1 Sap | 1 Netweaver Application Server Abap | 2023-08-09 | N/A | 6.5 MEDIUM |
| SAP NetWeaver Application Server ABAP and ABAP Platform - versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 793, SAP_BASIS 804, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This could allow an attacker to read sensitive information which can be used in a subsequent serious attack. | |||||
| CVE-2023-37491 | 1 Sap | 1 Message Server | 2023-08-09 | N/A | 8.8 HIGH |
| The ACL (Access Control List) of SAP Message Server - versions KERNEL 7.22, KERNEL 7.53, KERNEL 7.54, KERNEL 7.77, RNL64UC 7.22, RNL64UC 7.22EXT, RNL64UC 7.53, KRNL64NUC 7.22, KRNL64NUC 7.22EXT, can be bypassed in certain conditions, which may enable an authenticated malicious user to enter the network of the SAP systems served by the attacked SAP Message server. This may lead to unauthorized read and write of data as well as rendering the system unavailable. | |||||
| CVE-2023-39436 | 1 Sap | 1 Supplier Relationship Management | 2023-08-09 | N/A | 5.8 MEDIUM |
| SAP Supplier Relationship Management -versions 600, 602, 603, 604, 605, 606, 616, 617, allows an unauthorized attacker to discover information relating to SRM within Vendor Master Data for Business Partners replication functionality.This information could be used to allow the attacker to specialize their attacks against SRM. | |||||
| CVE-2023-39437 | 1 Sap | 1 Business One | 2023-08-09 | N/A | 5.4 MEDIUM |
| SAP business One allows - version 10.0, allows an attacker to insert malicious code into the content of a web page or application and gets it delivered to the client, resulting to Cross-site scripting. This could lead to harmful action affecting the Confidentiality, Integrity and Availability of the application. | |||||
| CVE-2021-42067 | 1 Sap | 2 Netweaver Abap, Netweaver Application Server Abap | 2023-08-08 | 4.0 MEDIUM | 4.3 MEDIUM |
| In SAP NetWeaver AS for ABAP and ABAP Platform - versions 701, 702, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 786, an attacker authenticated as a regular user can use the S/4 Hana dashboard to reveal systems and services which they would not normally be allowed to see. No information alteration or denial of service is possible. | |||||
| CVE-2021-21472 | 1 Sap | 1 Software Provisioning Manager | 2023-08-08 | 6.5 MEDIUM | 8.8 HIGH |
| SAP Software Provisioning Manager 1.0 (SAP NetWeaver Master Data Management Server 7.1) does not have an option to set password during its installation, this allows an authenticated attacker to perform various security attacks like Directory Traversal, Password Brute force Attack, SMB Relay attack, Security Downgrade. | |||||
| CVE-2021-38163 | 1 Sap | 1 Netweaver | 2023-08-08 | 9.0 HIGH | 8.8 HIGH |
| SAP NetWeaver (Visual Composer 7.0 RT) versions - 7.30, 7.31, 7.40, 7.50, without restriction, an attacker authenticated as a non-administrative user can upload a malicious file over a network and trigger its processing, which is capable of running operating system commands with the privilege of the Java Server process. These commands can be used to read or modify any information on the server or shut the server down making it unavailable. | |||||
| CVE-2022-32246 | 1 Sap | 1 Business Objects Business Intelligence Platform | 2022-07-20 | 4.9 MEDIUM | 4.6 MEDIUM |
| SAP Busines Objects Business Intelligence Platform (Visual Difference Application) - versions 420, 430, allows an authenticated attacker who has access to BI admin console to send crafted queries and extract data from the SQL backend. On successful exploitation, the attacker can cause limited impact on confidentiality and integrity of the application | |||||
| CVE-2022-35225 | 1 Sap | 1 Netweaver Enterprise Portal | 2022-07-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP NetWeaver Enterprise Portal - versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs over the network, resulting in reflected Cross-Site Scripting (XSS) vulnerability, therefore changing the scope of the attack. This leads to limited impact on confidentiality and integrity of data. | |||||
| CVE-2022-35227 | 1 Sap | 1 Netweaver Enterprise Portal | 2022-07-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in SAP NW EP (WPC) - versions 7.30, 7.31, 7.40, 7.50, which does not sufficiently validate user-controlled input, allows a remote attacker to conduct a Cross-Site (XSS) scripting attack. A successful exploit could allow the attacker to execute arbitrary script code which could lead to stealing or modifying of authentication information of the user, such as data relating to his or her current session. | |||||
| CVE-2022-35170 | 1 Sap | 1 Netweaver Enterprise Portal | 2022-07-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP NetWeaver Enterprise Portal does - versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, not sufficiently encode user-controlled inputs over the network, resulting in reflected Cross-Site Scripting (XSS) vulnerability, therefore changing the scope of the attack. This leads to limited impact on confidentiality and integrity of data. | |||||
| CVE-2022-35169 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2022-07-20 | 6.5 MEDIUM | 6.0 MEDIUM |
| SAP BusinessObjects Business Intelligence Platform (LCM) - versions 420, 430, allows an attacker with an admin privilege to read and decrypt LCMBIAR file's password under certain conditions, enabling the attacker to modify the password or import the file into another system causing high impact on confidentiality but a limited impact on the availability and integrity of the application. | |||||
| CVE-2022-35168 | 1 Sap | 1 Business One | 2022-07-20 | 5.0 MEDIUM | 7.5 HIGH |
| Due to improper input sanitization of XML input in SAP Business One - version 10.0, an attacker can perform a denial-of-service attack rendering the system temporarily inoperative. | |||||
| CVE-2022-32249 | 1 Sap | 1 Business One | 2022-07-20 | 5.0 MEDIUM | 7.5 HIGH |
| Under special integration scenario of SAP Business one and SAP HANA - version 10.0, an attacker can exploit HANA cockpit?s data volume to gain access to highly sensitive information (e.g., high privileged account credentials) | |||||
| CVE-2022-32248 | 1 Sap | 1 S\/4hana | 2022-07-20 | 5.0 MEDIUM | 5.3 MEDIUM |
| Due to missing input validation in the Manage Checkbooks component of SAP S/4HANA - version 101, 102, 103, 104, 105, 106, an attacker could insert or edit the value of an existing field in the database. This leads to an impact on the integrity of the data. | |||||
| CVE-2022-32247 | 1 Sap | 1 Netweaver Enterprise Portal | 2022-07-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP NetWeaver Enterprise Portal - versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, is susceptible to script execution attack by an unauthenticated attacker due to improper sanitization of the User inputs while interacting on the Network. On successful exploitation, an attacker can view or modify information causing a limited impact on confidentiality and integrity of the application. | |||||
| CVE-2022-35172 | 1 Sap | 1 Netweaver Enterprise Portal | 2022-07-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP NetWeaver Enterprise Portal - versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs, resulting in reflected Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2022-35171 | 1 Sap | 1 3d Visual Enterprise Viewer | 2022-07-19 | 4.3 MEDIUM | 5.5 MEDIUM |
| When a user opens manipulated JPEG 2000 (.jp2, jp2k.x3d) files received from untrusted sources in SAP 3D Visual Enterprise Viewer, the application crashes and becomes temporarily unavailable to the user until restart of the application. The file format details along with their CVE relevant information can be found below | |||||
| CVE-2022-31597 | 1 Sap | 2 S\/4hana, Sapscore | 2022-07-19 | 5.5 MEDIUM | 5.4 MEDIUM |
| Within SAP S/4HANA - versions S4CORE 101, 102, 103, 104, 105, 106, SAPSCORE 127, the application business partner extension for Spain/Slovakia does not perform necessary authorization checks for a low privileged authenticated user over the network, resulting in escalation of privileges leading to low impact on confidentiality and integrity of the data. | |||||
| CVE-2022-35224 | 1 Sap | 1 Enterprise Portal | 2022-07-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP Enterprise Portal - versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. This attack can be used to non-permanently deface or modify portal content. The execution of script content by a victim registered on the portal could compromise the confidentiality and integrity of victim?s web browser session. | |||||
| CVE-2022-29619 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2022-07-16 | 5.5 MEDIUM | 6.5 MEDIUM |
| Under certain conditions SAP BusinessObjects Business Intelligence Platform 4.x - versions 420,430 allows user Administrator to view, edit or modify rights of objects it doesn't own and which would otherwise be restricted. | |||||
| CVE-2022-31591 | 1 Sap | 1 Businessobjects Bw Publisher Service | 2022-07-16 | 4.6 MEDIUM | 7.8 HIGH |
| SAP BusinessObjects BW Publisher Service - versions 420, 430, uses a search path that contains an unquoted element. A local attacker can gain elevated privileges by inserting an executable file in the path of the affected service | |||||
| CVE-2022-31598 | 1 Sap | 1 Business Objects Business Intelligence Platform | 2022-07-16 | 4.9 MEDIUM | 5.4 MEDIUM |
| Due to insufficient input validation, SAP Business Objects - version 420, allows an authenticated attacker to submit a malicious request through an allowed operation. On successful exploitation, an attacker can view or modify information causing a limited impact on confidentiality and integrity of the application. | |||||
| CVE-2022-31592 | 1 Sap | 1 Enterprise Extension Defense Forces \& Public Security | 2022-07-16 | 4.0 MEDIUM | 4.3 MEDIUM |
| The application SAP Enterprise Extension Defense Forces & Public Security - versions 605, 606, 616,617,618, 802, 803, 804, 805, 806, does not perform necessary authorization checks for an authenticated user over the network, resulting in escalation of privileges leading to a limited impact on confidentiality. | |||||
| CVE-2022-31593 | 1 Sap | 1 Business One | 2022-07-16 | 6.5 MEDIUM | 8.8 HIGH |
| SAP Business One client - version 10.0 allows an attacker with low privileges, to inject code that can be executed by the application. An attacker could thereby control the behavior of the application. | |||||
| CVE-2022-35228 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2022-07-15 | 6.8 MEDIUM | 8.8 HIGH |
| SAP BusinessObjects CMC allows an unauthenticated attacker to retrieve token information over the network which would otherwise be restricted. This can be achieved only when a legitimate user accesses the application and a local compromise occurs, like sniffing or social engineering. On successful exploitation, the attacker can completely compromise the application. | |||||
| CVE-2021-27637 | 1 Sap | 1 Enable Now | 2022-07-12 | 1.9 LOW | 4.6 MEDIUM |
| Under certain conditions SAP Enable Now (SAP Workforce Performance Builder - Manager), versions - 1.0, 10 allows an attacker to access information which would otherwise be restricted leading to information disclosure. | |||||
| CVE-2021-33686 | 1 Sap | 1 Business One | 2022-07-12 | 5.0 MEDIUM | 5.3 MEDIUM |
| Under certain conditions, SAP Business One version - 10.0, allows an unauthorized attacker to get access to some encrypted sensitive information, but does not have control over kind or degree. | |||||
| CVE-2021-27613 | 1 Sap | 1 Chef Business-one-cookbook | 2022-07-12 | 4.6 MEDIUM | 7.8 HIGH |
| Under certain conditions, SAP Business One Chef cookbook, version - 9.2, 9.3, 10.0, used to install SAP Business One, allows an attacker to exploit an insecure temporary folder for incoming & outgoing payroll data and to access information which would otherwise be restricted, which could lead to Information Disclosure and highly impact system confidentiality, integrity and availability. | |||||
| CVE-2021-38179 | 1 Sap | 1 Business One | 2022-07-12 | 4.0 MEDIUM | 4.9 MEDIUM |
| Debug function of Admin UI of SAP Business One Integration is enabled by default. This allows Admin User to see the captured packet contents which may include User credentials. | |||||
| CVE-2021-38150 | 1 Sap | 1 Business Client | 2022-07-12 | 4.3 MEDIUM | 6.5 MEDIUM |
| When an attacker manages to get access to the local memory, or the memory dump of a victim, for example by a social engineering attack, SAP Business Client versions - 7.0, 7.70, will allow him to read extremely sensitive data, such as credentials. This would allow the attacker to compromise the corresponding backend for which the credentials are valid. | |||||
| CVE-2021-38178 | 1 Sap | 2 Netweaver Abap, Netweaver As Abap | 2022-07-12 | 6.5 MEDIUM | 8.8 HIGH |
| The software logistics system of SAP NetWeaver AS ABAP and ABAP Platform versions - 700, 701, 702, 710, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, enables a malicious user to transfer ABAP code artifacts or content, by-passing the established quality gates. By this vulnerability malicious code can reach quality and production, and can compromise the confidentiality, integrity, and availability of the system and its data. | |||||
| CVE-2021-27619 | 1 Sap | 1 Commerce | 2022-07-12 | 4.0 MEDIUM | 6.5 MEDIUM |
| SAP Commerce (Backoffice Search), versions - 1808, 1811, 1905, 2005, 2011, allows a low privileged user to search for attributes which are not supposed to be displayed to them. Although the search results are masked, the user can iteratively enter one character at a time to search and determine the masked attribute value thereby leading to information disclosure. | |||||
| CVE-2021-33663 | 1 Sap | 1 Netweaver As Abap | 2022-07-12 | 5.0 MEDIUM | 5.3 MEDIUM |
| SAP NetWeaver AS ABAP, versions - KRNL32NUC - 7.22,7.22EXT, KRNL32UC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73,7.77,7.81,7.82,7.83,7.84, allows an unauthorized attacker to insert cleartext commands due to improper restriction of I/O buffering into encrypted SMTP sessions over the network which can partially impact the integrity of the application. | |||||
| CVE-2021-44235 | 1 Sap | 1 Netweaver Application Server For Abap | 2022-07-12 | 7.2 HIGH | 6.7 MEDIUM |
| Two methods of a utility class in SAP NetWeaver AS ABAP - versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, allow an attacker with high privileges and has direct access to SAP System, to inject code when executing with a certain transaction class builder. This could allow execution of arbitrary commands on the operating system, that could highly impact the Confidentiality, Integrity and Availability of the system. | |||||
| CVE-2021-33677 | 1 Sap | 2 Netweaver Abap, Netweaver As Abap | 2022-07-12 | 5.0 MEDIUM | 7.5 HIGH |
| SAP NetWeaver ABAP Server and ABAP Platform, versions - 700, 702, 730, 731, 804, 740, 750, 784, expose functions to external which can lead to information disclosure. | |||||
| CVE-2021-27621 | 1 Sap | 1 Netweaver Application Server For Java | 2022-07-12 | 4.0 MEDIUM | 4.9 MEDIUM |
| Information Disclosure vulnerability in UserAdmin application in SAP NetWeaver Application Server for Java, versions - 7.11,7.20,7.30,7.31,7.40 and 7.50 allows attackers to access restricted information by entering malicious server name. | |||||
| CVE-2021-27595 | 1 Sap | 1 3d Visual Enterprise Viewer | 2022-07-12 | 4.3 MEDIUM | 3.3 LOW |
| When a user opens manipulated Portable Document Format (.PDF) files received from untrusted sources in SAP 3D Visual Enterprise Viewer, the application crashes and becomes temporarily unavailable to the user until restart of the application. | |||||
| CVE-2021-27594 | 1 Sap | 1 3d Visual Enterprise Viewer | 2022-07-12 | 4.3 MEDIUM | 3.3 LOW |
| When a user opens manipulated Windows Bitmap (.BMP) files received from untrusted sources in SAP 3D Visual Enterprise Viewer, the application crashes and becomes temporarily unavailable to the user until restart of the application. | |||||
| CVE-2021-38176 | 1 Sap | 4 Landscape Transformation, Landscape Transformation Replication Server, S\/4hana and 1 more | 2022-07-12 | 9.0 HIGH | 8.8 HIGH |
| Due to improper input sanitization, an authenticated user with certain specific privileges can remotely call NZDT function modules listed in Solution Section to execute manipulated query or inject ABAP code to gain access to Backend Database. On successful exploitation the threat actor could completely compromise confidentiality, integrity, and availability of the system. | |||||
| CVE-2021-33668 | 1 Sap | 1 Infrabox | 2022-07-12 | 5.0 MEDIUM | 7.5 HIGH |
| Due to improper input sanitization, specially crafted LDAP queries can be injected by an unauthenticated user. This could partially impact the confidentiality of the application. | |||||
| CVE-2021-38174 | 1 Sap | 1 3d Visual Enterprise Viewer | 2022-07-12 | 4.3 MEDIUM | 6.5 MEDIUM |
| When a user opens manipulated files received from untrusted sources in SAP 3D Visual Enterprise Viewer version - 9, the application crashes and becomes temporarily unavailable to the user until restart of the application. | |||||
| CVE-2021-42069 | 1 Sap | 1 3d Visual Enterprise Viewer | 2022-07-12 | 4.3 MEDIUM | 3.3 LOW |
| When a user opens manipulated Tagged Image File Format (.tif) file received from untrusted sources in SAP 3D Visual Enterprise Viewer - version 9.0, the application crashes and becomes temporarily unavailable to the user until restart of the application | |||||
| CVE-2021-27616 | 1 Sap | 2 Business-one-hana-chef-cookbook, Business One | 2022-07-12 | 7.2 HIGH | 7.8 HIGH |
| Under certain conditions, SAP Business One Hana Chef Cookbook, versions - 8.82, 9.0, 9.1, 9.2, 9.3, 10.0, used to install SAP Business One for SAP HANA, allows an attacker to exploit an insecure temporary backup path and to access information which would otherwise be restricted, resulting in Information Disclosure vulnerability highly impacting the confidentiality, integrity and availability of the application. | |||||
| CVE-2021-21485 | 1 Sap | 1 Netweaver Application Server Java | 2022-07-12 | 4.3 MEDIUM | 6.5 MEDIUM |
| An unauthorized attacker may be able to entice an administrator to invoke telnet commands of an SAP NetWeaver Application Server for Java that allow the attacker to gain NTLM hashes of a privileged user. | |||||
| CVE-2021-21448 | 1 Sap | 1 Graphical User Interface | 2022-07-12 | 2.1 LOW | 6.5 MEDIUM |
| SAP GUI for Windows, version - 7.60, allows an attacker to spoof logon credentials for Application Server ABAP backend systems in the client PCs memory. Under certain conditions the attacker can access information which would otherwise be restricted. The exploit can only be executed locally on the client PC and not via Network and the attacker needs at least user authorization of the Operating System user of the victim. | |||||