Filtered by vendor Sap
Subscribe
Total
1485 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-39598 | 1 Sap | 2 Customer Relationship Management S4fnd, Customer Relationship Management Webclient Ui | 2024-08-29 | N/A | 7.7 HIGH |
| SAP CRM (WebClient UI Framework) allows an authenticated attacker to enumerate accessible HTTP endpoints in the internal network by specially crafting HTTP requests. On successful exploitation this can result in information disclosure. It has no impact on integrity and availability of the application. | |||||
| CVE-2024-34691 | 1 Sap | 1 S\/4 Hana | 2024-08-16 | N/A | 6.5 MEDIUM |
| Manage Incoming Payment Files (F1680) of SAP S/4HANA does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. As a result, it has high impact on integrity and no impact on the confidentiality and availability of the system. | |||||
| CVE-2024-34686 | 1 Sap | 1 Customer Relationship Management Webclient Ui | 2024-08-16 | N/A | 6.1 MEDIUM |
| Due to insufficient input validation, SAP CRM WebClient UI allows an unauthenticated attacker to craft a URL link which embeds a malicious script. When a victim clicks on this link, the script will be executed in the victim's browser giving the attacker the ability to access and/or modify information with no effect on availability of the application. | |||||
| CVE-2024-34683 | 1 Sap | 1 Document Builder | 2024-08-09 | N/A | 6.5 MEDIUM |
| An authenticated attacker can upload malicious file to SAP Document Builder service. When the victim accesses this file, the attacker is allowed to access, modify, or make the related information unavailable in the victim’s browser. | |||||
| CVE-2024-34688 | 1 Sap | 1 Netweaver Application Server Java | 2024-08-09 | N/A | 7.5 HIGH |
| Due to unrestricted access to the Meta Model Repository services in SAP NetWeaver AS Java, attackers can perform DoS attacks on the application, which may prevent legitimate users from accessing it. This can result in no impact on confidentiality and integrity but a high impact on the availability of the application. | |||||
| CVE-2024-33001 | 1 Sap | 1 Netweaver Application Server Abap | 2024-08-09 | N/A | 6.5 MEDIUM |
| SAP NetWeaver and ABAP platform allows an attacker to impede performance for legitimate users by crashing or flooding the service. An impact of this Denial of Service vulnerability might be long response delays and service interruptions, thus degrading the service quality experienced by legitimate users causing high impact on availability of the application. | |||||
| CVE-2024-34690 | 1 Sap | 1 Student Life Cycle Management | 2024-08-09 | N/A | 5.4 MEDIUM |
| SAP Student Life Cycle Management (SLcM) fails to conduct proper authorization checks for authenticated users, leading to the potential escalation of privileges. On successful exploitation it could allow an attacker to access and edit non-sensitive report variants that are typically restricted, causing minimal impact on the confidentiality and integrity of the application. | |||||
| CVE-2024-34684 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2024-08-09 | N/A | 6.0 MEDIUM |
| On Unix, SAP BusinessObjects Business Intelligence Platform (Scheduling) allows an authenticated attacker with administrator access on the local server to access the password of a local account. As a result, an attacker can obtain non-administrative user credentials, which will allow them to read or modify the remote server files. | |||||
| CVE-2024-37176 | 1 Sap | 1 Bw\/4hana | 2024-08-09 | N/A | 5.4 MEDIUM |
| SAP BW/4HANA Transformation and Data Transfer Process (DTP) allows an authenticated attacker to gain higher access levels than they should have by exploiting improper authorization checks. This results in escalation of privileges. It has no impact on the confidentiality of data but may have low impacts on the integrity and availability of the application. | |||||
| CVE-2024-28164 | 1 Sap | 1 Netweaver Application Server Java | 2024-08-06 | N/A | 5.3 MEDIUM |
| SAP NetWeaver AS Java (CAF - Guided Procedures) allows an unauthenticated user to access non-sensitive information about the server which would otherwise be restricted causing low impact on confidentiality of the application. | |||||
| CVE-2018-17865 | 1 Sap | 1 J2ee Engine | 2024-08-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in SAP J2EE Engine 7.01 allows remote attackers to inject arbitrary web script via the wsdlPath parameter to /ctcprotocol/Protocol. NOTE: This vulnerability only affects products that are no longer supported by the maintainer | |||||
| CVE-2018-17862 | 1 Sap | 1 J2ee Engine | 2024-08-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in SAP J2EE Engine/7.01/Fiori allows remote attackers to inject arbitrary web script via the sys_jdbc parameter to /TestJDBC_Web/test2. NOTE: This vulnerability only affects products that are no longer supported by the maintainer | |||||
| CVE-2018-17861 | 1 Sap | 1 J2ee Engine | 2024-08-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in SAP J2EE Engine/7.01/Portal/EPP allows remote attackers to inject arbitrary web script via the wsdlLib parameter to /ctcprotocol/Protocol. NOTE: This vulnerability only affects products that are no longer supported by the maintainer | |||||
| CVE-2023-32113 | 1 Sap | 1 Gui For Windows | 2024-03-19 | N/A | 9.3 CRITICAL |
| SAP GUI for Windows - version 7.70, 8.0, allows an unauthorized attacker to gain NTLM authentication information of a victim by tricking it into clicking a prepared shortcut file. Depending on the authorizations of the victim, the attacker can read and modify potentially sensitive information after successful exploitation. | |||||
| CVE-2014-9569 | 1 Sap | 1 Netweaver Business Client For Html | 2024-02-14 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in SAP NetWeaver Business Client (NWBC) for HTML 3.0 allow remote attackers to inject arbitrary web script or HTML via the (1) title or (2) roundtrips parameter, aka SAP Security Note 2051285. | |||||
| CVE-2023-24523 | 1 Sap | 1 Host Agent | 2024-02-01 | N/A | 8.8 HIGH |
| An attacker authenticated as a non-admin user with local access to a server port assigned to the SAP Host Agent (Start Service) - versions 7.21, 7.22, can submit a crafted ConfigureOutsideDiscovery request with an operating system command which will be executed with administrator privileges. The OS command can read or modify any user or system data and can make the system unavailable. | |||||
| CVE-2023-27500 | 1 Sap | 1 Netweaver Application Server Abap | 2024-02-01 | N/A | 8.1 HIGH |
| An attacker with non-administrative authorizations can exploit a directory traversal flaw in program SAPRSBRO to over-write system files. In this attack, no data can be read but potentially critical OS files can be over-written making the system unavailable. | |||||
| CVE-2024-21735 | 1 Sap | 1 Lt Replication Server | 2024-01-30 | N/A | 7.2 HIGH |
| SAP LT Replication Server - version S4CORE 103, S4CORE 104, S4CORE 105, S4CORE 106, S4CORE 107, S4CORE 108, does not perform necessary authorization checks. This could allow an attacker with high privileges to perform unintended actions, resulting in escalation of privileges, which has High impact on confidentiality, integrity and availability of the system. | |||||
| CVE-2022-39805 | 1 Sap | 1 3d Visual Enterprise Author | 2024-01-25 | N/A | 7.8 HIGH |
| Due to lack of proper memory management, when a victim opens a manipulated Computer Graphics Metafile (.cgm, CgmTranslator.exe) file received from untrusted sources in SAP 3D Visual Enterprise Author - version 9, it is possible that a Remote Code Execution can be triggered when payload forces a stack-based overflow or a re-use of dangling pointer which refers to overwritten space in memory. | |||||
| CVE-2022-41186 | 1 Sap | 1 3d Visual Enterprise Viewer | 2024-01-25 | N/A | 7.8 HIGH |
| Due to lack of proper memory management, when a victim opens manipulated Computer Graphics Metafile (.cgm, CgmCore.dll) file received from untrusted sources in SAP 3D Visual Enterprise Viewer - version 9, a Remote Code Execution can be triggered when payload forces a stack-based overflow and or a re-use of dangling pointer which refers to overwritten space in memory. | |||||