Filtered by vendor Sap
Subscribe
Total
1304 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-26808 | 1 Sap | 2 Sap As Abap\(dmis\), Sap S4 Hana\(dmis\) | 2022-07-01 | 6.5 MEDIUM | 7.2 HIGH |
| SAP AS ABAP(DMIS), versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020 and SAP S4 HANA(DMIS), versions - 101, 102, 103, 104, 105, allows an authenticated attacker to inject arbitrary code into function module leading to code injection that can be executed in the application which affects the confidentiality, availability and integrity of the application. | |||||
| CVE-2022-31589 | 1 Sap | 3 Erp Financial Accounting, Erp Localization For Cee Countries, S\/4hana | 2022-06-27 | 4.0 MEDIUM | 6.5 MEDIUM |
| Due to improper authorization check, business users who are using Israeli File from SHAAM program (/ATL/VQ23 transaction), are granted more than needed authorization to perform certain transaction, which may lead to users getting access to data that would otherwise be restricted. | |||||
| CVE-2022-31594 | 1 Sap | 1 Adaptive Server Enterprise | 2022-06-24 | 7.2 HIGH | 6.7 MEDIUM |
| A highly privileged user can exploit SUID-root program to escalate his privileges to root on a local Unix system. | |||||
| CVE-2022-32236 | 1 Sap | 1 3d Visual Enterprise Viewer | 2022-06-24 | 4.3 MEDIUM | 5.5 MEDIUM |
| When a user opens manipulated Windows Bitmap (.bmp, 2d.x3d) files received from untrusted sources in SAP 3D Visual Enterprise Viewer, the application crashes and becomes temporarily unavailable to the user until restart of the application. | |||||
| CVE-2022-32235 | 1 Sap | 1 3d Visual Enterprise Viewer | 2022-06-24 | 4.3 MEDIUM | 5.5 MEDIUM |
| When a user opens manipulated AutoCAD (.dwg, TeighaTranslator.exe) files received from untrusted sources in SAP 3D Visual Enterprise Viewer, the application crashes and becomes temporarily unavailable to the user until restart of the application. | |||||
| CVE-2022-31590 | 1 Sap | 1 Powerdesigner Proxy | 2022-06-24 | 7.2 HIGH | 7.8 HIGH |
| SAP PowerDesigner Proxy - version 16.7, allows an attacker with low privileges and has local access, with the ability to work around system’s root disk access restrictions to Write/Create a program file on system disk root path, which could then be executed with elevated privileges of the application during application start up or reboot, potentially compromising Confidentiality, Integrity and Availability of the system. | |||||
| CVE-2022-29618 | 1 Sap | 1 Netweaver Development Infrastructure | 2022-06-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Due to insufficient input validation, SAP NetWeaver Development Infrastructure (Design Time Repository) - versions 7.30, 7.31, 7.40, 7.50, allows an unauthenticated attacker to inject script into the URL and execute code in the user’s browser. On successful exploitation, an attacker can view or modify information causing a limited impact on confidentiality and integrity of the application. | |||||
| CVE-2022-29615 | 1 Sap | 1 Netweaver Developer Studio | 2022-06-24 | 3.6 LOW | 3.4 LOW |
| SAP NetWeaver Developer Studio (NWDS) - version 7.50, is based on Eclipse, which contains the logging framework log4j in version 1.x. The application's confidentiality and integrity could have a low impact due to the vulnerabilities associated with version 1.x. | |||||
| CVE-2022-32240 | 1 Sap | 1 3d Visual Enterprise Viewer | 2022-06-23 | 4.3 MEDIUM | 5.5 MEDIUM |
| When a user opens manipulated Jupiter Tesselation (.jt, JTReader.x3d) files received from untrusted sources in SAP 3D Visual Enterprise Viewer, the application crashes and becomes temporarily unavailable to the user until restart of the application. | |||||
| CVE-2022-32241 | 1 Sap | 1 3d Visual Enterprise Viewer | 2022-06-23 | 4.3 MEDIUM | 5.5 MEDIUM |
| When a user opens manipulated Portable Document Format (.pdf, PDFView.x3d) files received from untrusted sources in SAP 3D Visual Enterprise Viewer, the application crashes and becomes temporarily unavailable to the user until restart of the application. | |||||
| CVE-2022-32242 | 1 Sap | 1 3d Visual Enterprise Viewer | 2022-06-23 | 4.3 MEDIUM | 5.5 MEDIUM |
| When a user opens manipulated Radiance Picture (.hdr, hdr.x3d) files received from untrusted sources in SAP 3D Visual Enterprise Viewer, the application crashes and becomes temporarily unavailable to the user until restart of the application. | |||||
| CVE-2022-32243 | 1 Sap | 1 3d Visual Enterprise Viewer | 2022-06-23 | 4.3 MEDIUM | 5.5 MEDIUM |
| When a user opens manipulated Scalable Vector Graphics (.svg, svg.x3d) files received from untrusted sources in SAP 3D Visual Enterprise Viewer, the application crashes and becomes temporarily unavailable to the user until restart of the application. | |||||
| CVE-2022-32237 | 1 Sap | 1 3d Visual Enterprise Viewer | 2022-06-22 | 4.3 MEDIUM | 5.5 MEDIUM |
| When a user opens manipulated Computer Graphics Metafile (.cgm, CgmCore.dll) files received from untrusted sources in SAP 3D Visual Enterprise Viewer, the application crashes and becomes temporarily unavailable to the user until restart of the application. | |||||
| CVE-2022-32238 | 1 Sap | 1 3d Visual Enterprise Viewer | 2022-06-22 | 4.3 MEDIUM | 5.5 MEDIUM |
| When a user opens manipulated Encapsulated Post Script (.eps, ai.x3d) files received from untrusted sources in SAP 3D Visual Enterprise Viewer, the application crashes and becomes temporarily unavailable to the user until restart of the application. | |||||
| CVE-2022-22547 | 1 Sap | 1 Simple Diagnostics Agent | 2022-06-21 | 5.0 MEDIUM | 7.5 HIGH |
| Simple Diagnostics Agent - versions 1.0 (up to version 1.57.), allows an attacker to access information which would otherwise be restricted via a random port 9000-65535. This allows information gathering which could be used exploit future open-source security exploits. | |||||
| CVE-2022-24396 | 1 Sap | 1 Simple Diagnostics Agent | 2022-06-21 | 7.2 HIGH | 7.8 HIGH |
| The Simple Diagnostics Agent - versions 1.0 up to version 1.57, does not perform any authentication checks for functionalities that can be accessed via localhost on http port 3005. Due to lack of authentication checks, an attacker could access administrative or other privileged functionalities and read, modify, or delete sensitive information and configurations. | |||||
| CVE-2020-6220 | 1 Sap | 1 Business Objects Business Intelligence Platform | 2022-06-14 | 2.6 LOW | 4.7 MEDIUM |
| BI Launchpad and CMC in SAP Business Objects Business Intelligence Platform, versions 4.1, 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. Exploit is possible only when the bttoken in victim’s session is active. | |||||
| CVE-2021-21480 | 1 Sap | 1 Manufacturing Integration And Intelligence | 2022-06-13 | 9.0 HIGH | 8.8 HIGH |
| SAP MII allows users to create dashboards and save them as JSP through the SSCE (Self Service Composition Environment). An attacker can intercept a request to the server, inject malicious JSP code in the request and forward to server. When this dashboard is opened by users having at least SAP_XMII Developer role, malicious content in the dashboard gets executed, leading to remote code execution in the server, which allows privilege escalation. The malicious JSP code can contain certain OS commands, through which an attacker can read sensitive files in the server, modify files or even delete contents in the server thus compromising the confidentiality, integrity and availability of the server hosting the SAP MII application. Also, an attacker authenticated as a developer can use the application to upload and execute a file which will permit them to execute operating systems commands completely compromising the server hosting the application. | |||||
| CVE-2021-21465 | 1 Sap | 1 Business Warehouse | 2022-06-03 | 6.5 MEDIUM | 9.9 CRITICAL |
| The BW Database Interface allows an attacker with low privileges to execute any crafted database queries, exposing the backend database. An attacker can include their own SQL commands which the database will execute without properly sanitizing the untrusted data leading to SQL injection vulnerability which can fully compromise the affected SAP system. | |||||
| CVE-2022-29616 | 1 Sap | 3 Netweaver As Abap Kernel, Netweaver As Abap Krnl64nuc, Netweaver As Abap Krnl64uc | 2022-05-19 | 5.0 MEDIUM | 7.5 HIGH |
| SAP Host Agent, SAP NetWeaver and ABAP Platform allow an attacker to leverage logical errors in memory management to cause a memory corruption. | |||||