Filtered by vendor Sap
Subscribe
Total
1485 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-38180 | 1 Sap | 1 Business One | 2023-11-07 | 9.3 HIGH | 9.8 CRITICAL |
| SAP Business One - version 10.0, allows an attacker to inject formulas when exporting data to Excel (CSV injection) due to improper sanitation during the data export. An attacker could thereby execute arbitrary commands on the victim's computer but only if the victim allows to execute macros while opening the file and the security settings of Excel allow for command execution. | |||||
| CVE-2020-6324 | 1 Sap | 1 Netweaver As Abap Business Server Pages | 2023-11-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP Netweaver AS ABAP(BSP Test Application sbspext_table), version-700,701,720,730,731,740,750,751,752,753,754,755, allows an unauthenticated attacker to send polluted URL to the victim, when the victim clicks on this URL, the attacker can read, modify the information available in the victim?s browser leading to Reflected Cross Site Scripting. | |||||
| CVE-2020-6311 | 1 Sap | 2 Bank Analyzer, S\/4hana For Financial Products Subledger | 2023-11-07 | 4.0 MEDIUM | 6.5 MEDIUM |
| Banking services from SAP 9.0 (Bank Analyzer), version - 500, and SAP S/4HANA for financial products subledger, version ? 100, does not correctly perform necessary authorization checks for an authenticated user due to Improper Authorization checks, that may cause a system administrator to create incorrect authorization proposals. This may result in privilege escalation and may expose restricted banking data. | |||||
| CVE-2012-4341 | 1 Sap | 1 Netweaver Abap | 2023-11-07 | 10.0 HIGH | N/A |
| Multiple stack-based buffer overflows in msg_server.exe in SAP NetWeaver ABAP 7.x allow remote attackers to cause a denial of service (crash) and execute arbitrary code via a (1) long parameter value, (2) crafted string size field, or (3) long Parameter Name string in a package with opcode 0x43 and sub opcode 0x4 to TCP port 3900. | |||||
| CVE-2023-42477 | 1 Sap | 1 Netweaver Application Server Java | 2023-10-16 | N/A | 6.5 MEDIUM |
| SAP NetWeaver AS Java (GRMG Heartbeat application) - version 7.50, allows an attacker to send a crafted request from a vulnerable web application, causing limited impact on confidentiality and integrity of the application. | |||||
| CVE-2023-42474 | 1 Sap | 1 Businessobjects Web Intelligence | 2023-10-11 | N/A | 5.4 MEDIUM |
| SAP BusinessObjects Web Intelligence - version 420, has a URL with parameter that could be vulnerable to XSS attack. The attacker could send a malicious link to a user that would possibly allow an attacker to retrieve the sensitive information. | |||||
| CVE-2023-42473 | 1 Sap | 1 S\/4hana | 2023-10-11 | N/A | 5.4 MEDIUM |
| S/4HANA Manage (Withholding Tax Items) - version 106, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges which has low impact on the confidentiality and integrity of the application. | |||||
| CVE-2023-40310 | 1 Sap | 1 Powerdesigner | 2023-10-11 | N/A | 7.5 HIGH |
| SAP PowerDesigner Client - version 16.7, does not sufficiently validate BPMN2 XML document imported from an untrusted source. As a result, URLs of external entities in BPMN2 file, although not used, would be accessed during import. A successful attack could impact availability of SAP PowerDesigner Client. | |||||
| CVE-2023-33993 | 1 Sap | 1 Business One | 2023-08-15 | N/A | 7.5 HIGH |
| B1i module of SAP Business One - version 10.0, application allows an authenticated user with deep knowledge to send crafted queries over the network to read or modify the SQL data. On successful exploitation, the attacker can cause high impact on confidentiality, integrity and availability of the application. | |||||
| CVE-2023-36923 | 1 Sap | 1 Powerdesigner | 2023-08-15 | N/A | 7.8 HIGH |
| SAP SQLA for PowerDesigner 17 bundled with SAP PowerDesigner 16.7 SP06 PL03, allows an attacker with local access to the system, to place a malicious library, that can be executed by the application. An attacker could thereby control the behavior of the application. | |||||
| CVE-2023-37488 | 1 Sap | 1 Netweaver Process Integration | 2023-08-15 | N/A | 6.1 MEDIUM |
| In SAP NetWeaver Process Integration - versions SAP_XIESR 7.50, SAP_XITOOL 7.50, SAP_XIAF 7.50, user-controlled inputs, if not sufficiently encoded, could result in Cross-Site Scripting (XSS) attack. On successful exploitation the attacker can cause limited impact on confidentiality and integrity of the system. | |||||
| CVE-2022-28773 | 1 Sap | 2 Netweaver, Web Dispatcher | 2023-08-14 | 5.0 MEDIUM | 7.5 HIGH |
| Due to an uncontrolled recursion in SAP Web Dispatcher and SAP Internet Communication Manager, the application may crash, leading to denial of service, but can be restarted automatically. | |||||
| CVE-2023-35871 | 1 Sap | 1 Web Dispatcher | 2023-08-14 | N/A | 9.4 CRITICAL |
| The SAP Web Dispatcher - versions WEBDISP 7.53, WEBDISP 7.54, WEBDISP 7.77, WEBDISP 7.85, WEBDISP 7.89, WEBDISP 7.91, WEBDISP 7.92, WEBDISP 7.93, KERNEL 7.53, KERNEL 7.54 KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.91, KERNEL 7.92, KERNEL 7.93, KRNL64UC 7.53, HDB 2.00, XS_ADVANCED_RUNTIME 1.00, SAP_EXTENDED_APP_SERVICES 1, has a vulnerability that can be exploited by an unauthenticated attacker to cause memory corruption through logical errors in memory management this may leads to information disclosure or system crashes, which can have low impact on confidentiality and high impact on the integrity and availability of the system. | |||||
| CVE-2022-22528 | 2 Microsoft, Sap | 2 Windows, Adaptive Server Enterprise | 2023-08-14 | 4.4 MEDIUM | 7.8 HIGH |
| SAP Adaptive Server Enterprise (ASE) - version 16.0, installation makes an entry in the system PATH environment variable in Windows platform which, under certain conditions, allows a Standard User to execute malicious Windows binaries which may lead to privilege escalation on the local system. The issue is with the ASE installer and does not impact other ASE binaries. | |||||
| CVE-2022-28771 | 1 Sap | 1 Business One License Service Api | 2023-08-14 | 5.0 MEDIUM | 7.5 HIGH |
| Due to missing authentication check, SAP Business one License service API - version 10.0 allows an unauthenticated attacker to send malicious http requests over the network. On successful exploitation, an attacker can break the whole application making it inaccessible. | |||||
| CVE-2023-37490 | 1 Sap | 1 Businessobjects Business Intelligence | 2023-08-09 | N/A | 9.0 CRITICAL |
| SAP Business Objects Installer - versions 420, 430, allows an authenticated attacker within the network to overwrite an executable file created in a temporary directory during the installation process. On replacing this executable with a malicious file, an attacker can completely compromise the confidentiality, integrity, and availability of the system | |||||
| CVE-2023-39437 | 1 Sap | 1 Business One | 2023-08-09 | N/A | 5.4 MEDIUM |
| SAP business One allows - version 10.0, allows an attacker to insert malicious code into the content of a web page or application and gets it delivered to the client, resulting to Cross-site scripting. This could lead to harmful action affecting the Confidentiality, Integrity and Availability of the application. | |||||
| CVE-2021-21472 | 1 Sap | 1 Software Provisioning Manager | 2023-08-08 | 6.5 MEDIUM | 8.8 HIGH |
| SAP Software Provisioning Manager 1.0 (SAP NetWeaver Master Data Management Server 7.1) does not have an option to set password during its installation, this allows an authenticated attacker to perform various security attacks like Directory Traversal, Password Brute force Attack, SMB Relay attack, Security Downgrade. | |||||
| CVE-2021-42067 | 1 Sap | 2 Netweaver Abap, Netweaver Application Server Abap | 2023-08-08 | 4.0 MEDIUM | 4.3 MEDIUM |
| In SAP NetWeaver AS for ABAP and ABAP Platform - versions 701, 702, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 786, an attacker authenticated as a regular user can use the S/4 Hana dashboard to reveal systems and services which they would not normally be allowed to see. No information alteration or denial of service is possible. | |||||
| CVE-2022-22537 | 1 Sap | 1 3d Visual Enterprise Viewer | 2023-07-24 | 4.3 MEDIUM | 6.5 MEDIUM |
| When a user opens a manipulated Tagged Image File Format (.tiff, 2d.x3d)) received from untrusted sources in SAP 3D Visual Enterprise Viewer - version 9.0, the application crashes and becomes temporarily unavailable to the user until restart of the application. The file format details along with their CVE relevant information can be found below. | |||||