Filtered by vendor Sap
Subscribe
Total
1485 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-29187 | 1 Sap | 1 Sapsetup | 2023-04-26 | N/A | 6.7 MEDIUM |
| A Windows user with basic user authorization can exploit a DLL hijacking attack in SapSetup (Software Installation Program) - version 9.0, resulting in a privilege escalation running code as administrator of the very same Windows PC. A successful attack depends on various preconditions beyond the attackers control. | |||||
| CVE-2023-29189 | 1 Sap | 2 Customer Relationship Management S4fnd, Customer Relationship Management Webclient Ui | 2023-04-18 | N/A | 5.4 MEDIUM |
| SAP CRM (WebClient UI) - versions S4FND 102, 103, 104, 105, 106, 107, WEBCUIF, 700, 701, 731, 730, 746, 747, 748, 800, 801, allows an authenticated attacker to modify HTTP verbs used in requests to the web server. This application is exposed over the network and successful exploitation can lead to exposure of form fields | |||||
| CVE-2023-27497 | 2 Microsoft, Sap | 2 Windows, Diagnostics Agent | 2023-04-18 | N/A | 9.8 CRITICAL |
| Due to missing authentication and input sanitization of code the EventLogServiceCollector of SAP Diagnostics Agent - version 720, allows an attacker to execute malicious scripts on all connected Diagnostics Agents running on Windows. On successful exploitation, the attacker can completely compromise confidentiality, integrity and availability of the system. | |||||
| CVE-2023-27499 | 1 Sap | 2 Netweaver, Netweaver Application Server Abap | 2023-04-18 | N/A | 6.1 MEDIUM |
| SAP GUI for HTML - versions KERNEL 7.22, 7.53, 7.54, 7.77, 7.81, 7.85, 7.89, 7.91, KRNL64UC, 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT does not sufficiently encode user-controlled inputs, resulting in a reflected Cross-Site Scripting (XSS) vulnerability. An attacker could craft a malicious URL and lure the victim to click, the script supplied by the attacker will execute in the victim user's browser. The information from the victim's web browser can either be modified or read and sent to the attacker. | |||||
| CVE-2023-29186 | 1 Sap | 1 Netweaver | 2023-04-18 | N/A | 6.5 MEDIUM |
| In SAP NetWeaver (BI CONT ADDON) - versions 707, 737, 747, 757, an attacker can exploit a directory traversal flaw in a report to upload and overwrite files on the SAP server. Data cannot be read but if a remote attacker has sufficient (administrative) privileges then potentially critical OS files can be overwritten making the system unavailable. | |||||
| CVE-2023-29185 | 1 Sap | 1 Netweaver As Abap Business Server Pages | 2023-04-18 | N/A | 6.5 MEDIUM |
| SAP NetWeaver AS for ABAP (Business Server Pages) - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, allows an attacker authenticated as a non-administrative user to craft a request with certain parameters in certain circumstances which can consume the server's resources sufficiently to make it unavailable over the network without any user interaction. | |||||
| CVE-2023-29108 | 1 Sap | 2 Abap Platform Kernel, Web Dispatcher | 2023-04-18 | N/A | 5.3 MEDIUM |
| The IP filter in ABAP Platform and SAP Web Dispatcher - versions WEBDISP 7.85, 7.89, KERNEL 7.85, 7.89, 7.91, may be vulnerable by erroneous IP netmask handling. This may enable access to backend applications from unwanted sources. | |||||
| CVE-2023-29109 | 1 Sap | 4 Abap Platform, Application Interface Framework, Basis and 1 more | 2023-04-18 | N/A | 4.6 MEDIUM |
| The SAP Application Interface Framework (Message Dashboard) - versions AIF 703, AIFX 702, S4CORE 101, SAP_BASIS 755, 756, SAP_ABA 75C, 75D, 75E, application allows an Excel formula injection. An authorized attacker can inject arbitrary Excel formulas into fields like the Tooltip of the Custom Hints List. Once the victim opens the downloaded Excel document, the formula will be executed. As a result, an attacker can cause limited impact on the confidentiality and integrity of the application. | |||||
| CVE-2023-1903 | 1 Sap | 1 Hcm Fiori App My Forms | 2023-04-18 | N/A | 4.3 MEDIUM |
| SAP HCM Fiori App My Forms (Fiori 2.0) - version 605, does not perform necessary authorization checks for an authenticated user exposing the restricted header data. | |||||
| CVE-2023-29112 | 1 Sap | 1 Application Interface | 2023-04-18 | N/A | 5.4 MEDIUM |
| The SAP Application Interface (Message Monitoring) - versions 600, 700, allows an authorized attacker to input links or headings with custom CSS classes into a comment. The comment will render links and custom CSS classes as HTML objects. After successful exploitations, an attacker can cause limited impact on the confidentiality and integrity of the application. | |||||
| CVE-2023-29111 | 1 Sap | 1 Application Interface Framework | 2023-04-18 | N/A | 4.3 MEDIUM |
| The SAP AIF (ODATA service) - versions 755, 756, discloses more detailed information than is required. An authorized attacker can use the collected information possibly to exploit the component. As a result, an attacker can cause a low impact on the confidentiality of the application. | |||||
| CVE-2023-29110 | 1 Sap | 4 Abap Platform, Application Interface Framework, Basis and 1 more | 2023-04-18 | N/A | 5.4 MEDIUM |
| The SAP Application Interface (Message Dashboard) - versions AIF 703, AIFX 702, S4CORE 100, 101, SAP_BASIS 755, 756, SAP_ABA 75C, 75D, 75E, application allows the usage HTML tags. An authorized attacker can use some of the basic HTML codes such as heading, basic formatting and lists, then an attacker can inject images from the foreign domains. After successful exploitations, an attacker can cause limited impact on the confidentiality and integrity of the application. | |||||
| CVE-2023-28763 | 1 Sap | 1 Netweaver Application Server Abap | 2023-04-14 | N/A | 6.5 MEDIUM |
| SAP NetWeaver AS for ABAP and ABAP Platform - versions 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, allows an attacker authenticated as a non-administrative user to craft a request with certain parameters which can consume the server's resources sufficiently to make it unavailable over the network without any user interaction. | |||||
| CVE-2023-28765 | 1 Sap | 1 Businessobjects Business Intelligence | 2023-04-14 | N/A | 9.8 CRITICAL |
| An attacker with basic privileges in SAP BusinessObjects Business Intelligence Platform (Promotion Management) - versions 420, 430, can get access to lcmbiar file and further decrypt the file. After this attacker can gain access to BI user’s passwords and depending on the privileges of the BI user, the attacker can perform operations that can completely compromise the application. | |||||
| CVE-2023-28761 | 1 Sap | 1 Netweaver Enterprise Portal | 2023-04-14 | N/A | 6.5 MEDIUM |
| In SAP NetWeaver Enterprise Portal - version 7.50, an unauthenticated attacker can attach to an open interface and make use of an open API to access a service which will enable them to access or modify server settings and data, leading to limited impact on confidentiality and integrity. | |||||
| CVE-2023-27897 | 1 Sap | 1 Customer Relationship Management | 2023-04-14 | N/A | 6.3 MEDIUM |
| In SAP CRM - versions 700, 701, 702, 712, 713, an attacker who is authenticated with a non-administrative role and a common remote execution authorization can use a vulnerable interface to execute an application function to perform actions which they would not normally be permitted to perform. Depending on the function executed, the attack can can have limited impact on confidentiality and integrity of non-critical user or application data and application availability. | |||||
| CVE-2023-27267 | 1 Sap | 1 Diagnostics Agent | 2023-04-14 | N/A | 8.1 HIGH |
| Due to missing authentication and insufficient input validation, the OSCommand Bridge of SAP Diagnostics Agent - version 720, allows an attacker with deep knowledge of the system to execute scripts on all connected Diagnostics Agents. On successful exploitation, the attacker can completely compromise confidentiality, integrity and availability of the system. | |||||
| CVE-2023-26458 | 1 Sap | 1 Landscape Management | 2023-04-14 | N/A | 8.7 HIGH |
| An information disclosure vulnerability exists in SAP Landscape Management - version 3.0, enterprise edition. It allows an authenticated SAP Landscape Management user to obtain privileged access to other systems making those other systems vulnerable to information disclosure and modification.The disclosed information is for Diagnostics Agent Connection via Java SCS Message Server of an SAP Solution Manager system and can only be accessed by authenticated SAP Landscape Management users, but they can escalate their privileges to the SAP Solution Manager system. | |||||
| CVE-2023-24527 | 1 Sap | 1 Netweaver As Java For Deploy Service | 2023-04-14 | N/A | 5.3 MEDIUM |
| SAP NetWeaver AS Java for Deploy Service - version 7.5, does not perform any access control checks for functionalities that require user identity enabling an unauthenticated attacker to attach to an open interface and make use of an open naming and directory API to access a service which will enable them to access but not modify server settings and data with no effect on availability and integrity. | |||||
| CVE-2023-23855 | 1 Sap | 1 Solution Manager | 2023-04-11 | N/A | 5.4 MEDIUM |
| SAP Solution Manager - version 720, allows an authenticated attacker to redirect users to a malicious site due to insufficient URL validation. A successful attack could lead an attacker to read or modify the information or expose the user to a phishing attack. As a result, it has a low impact to confidentiality, integrity and availability. | |||||