Filtered by vendor Sap
Subscribe
Total
1304 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-38164 | 1 Sap | 1 Erp Financial Accounting | 2021-09-24 | 5.5 MEDIUM | 5.4 MEDIUM |
| SAP ERP Financial Accounting (RFOPENPOSTING_FR) versions - SAP_APPL - 600, 602, 603, 604, 605, 606, 616, SAP_FIN - 617, 618, 700, 720, 730, SAPSCORE - 125, S4CORE, 100, 101, 102, 103, 104, 105, allows a registered attacker to invoke certain functions that would otherwise be restricted to specific users. These functions are normally exposed over the network and once exploited the attacker may be able to view and modify financial accounting data that only a specific user should have access to. | |||||
| CVE-2021-33672 | 1 Sap | 1 Contact Center | 2021-09-24 | 9.3 HIGH | 9.6 CRITICAL |
| Due to missing encoding in SAP Contact Center's Communication Desktop component- version 700, an attacker could send malicious script in chat message. When the message is accepted by the chat recipient, the script gets executed in their scope. Due to the usage of ActiveX in the application, the attacker can further execute operating system level commands in the chat recipient's scope. This could lead to a complete compromise of their confidentiality, integrity, and could temporarily impact their availability. | |||||
| CVE-2021-33673 | 1 Sap | 1 Contact Center | 2021-09-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Under certain conditions, SAP Contact Center - version 700,does not sufficiently encode user-controlled inputs and persists in them. This allows an attacker to exploit a Stored Cross-Site Scripting (XSS) vulnerability when a user browses through the employee directory and to execute arbitrary code on the victim's browser. Due to the usage of ActiveX in the application, the attacker can further execute operating system level commands. | |||||
| CVE-2021-33674 | 1 Sap | 1 Contact Center | 2021-09-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Under certain conditions, SAP Contact Center - version 700, does not sufficiently encode user-controlled inputs. This allows an attacker to exploit a Reflected Cross-Site Scripting (XSS) vulnerability when creating a new email and to execute arbitrary code on the victim's browser. | |||||
| CVE-2021-33675 | 1 Sap | 1 Contact Center | 2021-09-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Under certain conditions, SAP Contact Center - version 700, does not sufficiently encode user-controlled inputs. This allows an attacker to exploit a Reflected Cross-Site Scripting (XSS) vulnerability through phishing and to execute arbitrary code on the victim's browser. | |||||
| CVE-2021-33679 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2021-09-24 | 3.5 LOW | 5.4 MEDIUM |
| The SAP BusinessObjects BI Platform version - 420 allows an attacker, who has basic access to the application, to inject a malicious script while creating a new module document, file, or folder. When another user visits that page, the stored malicious script will execute in their session, hence allowing the attacker to compromise their confidentiality and integrity. | |||||
| CVE-2021-33685 | 1 Sap | 1 Business One | 2021-09-24 | 4.0 MEDIUM | 6.5 MEDIUM |
| SAP Business One version - 10.0 allows low-level authorized attacker to traverse the file system to access files or directories that are outside of the restricted directory. A successful attack allows access to high level sensitive data | |||||
| CVE-2021-37535 | 1 Sap | 1 Netweaver Application Server Java | 2021-09-23 | 7.5 HIGH | 9.8 CRITICAL |
| SAP NetWeaver Application Server Java (JMS Connector Service) - versions 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not perform necessary authorization checks for user privileges. | |||||
| CVE-2021-37532 | 1 Sap | 1 Business One | 2021-09-23 | 4.0 MEDIUM | 4.3 MEDIUM |
| SAP Business One version - 10, due to improper input validation, allows an authenticated User to gain access to directory and view the contents of index in the directory, which would otherwise be restricted to high privileged User. | |||||
| CVE-2021-33688 | 1 Sap | 1 Business One | 2021-09-23 | 4.0 MEDIUM | 4.3 MEDIUM |
| SAP Business One allows an attacker with business privileges to execute crafted database queries, exposing the back-end database. Due to framework restrictions, only some information can be obtained. | |||||
| CVE-2021-21489 | 1 Sap | 1 Netweaver Enterprise Portal | 2021-09-22 | 3.5 LOW | 4.8 MEDIUM |
| SAP NetWeaver Enterprise Portal versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user related data, resulting in Stored Cross-Site Scripting (XSS) vulnerability. This would allow an attacker with administrative privileges to store a malicious script on the portal. The execution of the script content by a victim registered on the portal could compromise the confidentiality and integrity of portal content. | |||||
| CVE-2007-1916 | 8 Apple, Hp, Ibm and 5 more | 11 Macos, Hp-ux, Tru64 and 8 more | 2021-09-22 | 10.0 HIGH | N/A |
| Buffer overflow in the RFC_START_GUI function in the SAP RFC Library 6.40 and 7.00 before 20061211 allows remote attackers to execute arbitrary code via unspecified vectors. NOTE: This information is based upon a vague initial disclosure. Details will be updated after the grace period has ended. | |||||
| CVE-2007-1915 | 7 Apple, Hp, Ibm and 4 more | 10 Macos, Hp-ux, Tru64 and 7 more | 2021-09-22 | 7.5 HIGH | N/A |
| Buffer overflow in the RFC_START_PROGRAM function in the SAP RFC Library 6.40 and 7.00 before 20061211 allows remote attackers to execute arbitrary code via unspecified vectors. NOTE: This information is based upon a vague initial disclosure. Details will be updated after the grace period has ended. | |||||
| CVE-2007-1917 | 8 Apple, Hp, Ibm and 5 more | 11 Macos, Hp-ux, Tru64 and 8 more | 2021-09-22 | 10.0 HIGH | N/A |
| Buffer overflow in the SYSTEM_CREATE_INSTANCE function in the SAP RFC Library 6.40 and 7.00 before 20061211 allows remote attackers to execute arbitrary code via unspecified vectors. NOTE: This information is based upon a vague initial disclosure. Details will be updated after the grace period has ended. | |||||
| CVE-2007-1913 | 8 Apple, Hp, Ibm and 5 more | 11 Macos, Hp-ux, Tru64 and 8 more | 2021-09-22 | 5.0 MEDIUM | N/A |
| The TRUSTED_SYSTEM_SECURITY function in the SAP RFC Library 6.40 and 7.00 before 20061211 allows remote attackers to verify the existence of users and groups on systems and domains via unspecified vectors, a different vulnerability than CVE-2006-6010. NOTE: This information is based upon a vague initial disclosure. Details will be updated after the grace period has ended. | |||||
| CVE-2007-1918 | 8 Apple, Hp, Ibm and 5 more | 11 Macos, Hp-ux, Tru64 and 8 more | 2021-09-22 | 5.0 MEDIUM | N/A |
| The RFC_SET_REG_SERVER_PROPERTY function in the SAP RFC Library 6.40 and 7.00 before 20070109 implements an option for exclusive access to an RFC server, which allows remote attackers to cause a denial of service (client lockout) via unspecified vectors. NOTE: This information is based upon a vague initial disclosure. Details will be updated after the grace period has ended. | |||||
| CVE-2019-0248 | 1 Sap | 2 Basis, Netweaver | 2021-09-13 | 4.3 MEDIUM | 5.9 MEDIUM |
| Under certain conditions SAP Gateway of ABAP Application Server (fixed in SAP_GWFND 7.5, 7.51, 7.52, 7.53; SAP_BASIS 7.5) allows an attacker to access information which would otherwise be restricted. | |||||
| CVE-2019-0275 | 1 Sap | 1 Netweaver Application Server Java | 2021-09-09 | 3.5 LOW | 5.4 MEDIUM |
| SAML 1.1 SSO Demo Application in SAP NetWeaver Java Application Server (J2EE-APPS), versions 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40 and 7.50, does not sufficiently encode user-controlled inputs, which results in cross-site scripting (XSS) vulnerability. | |||||
| CVE-2018-2484 | 1 Sap | 4 Bank\/cfm, Ea-finserv, S4core and 1 more | 2021-09-09 | 6.5 MEDIUM | 8.8 HIGH |
| SAP Enterprise Financial Services (fixed in SAPSCORE 1.13, 1.14, 1.15; S4CORE 1.01, 1.02, 1.03; EA-FINSERV 1.10, 2.0, 5.0, 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0; Bank/CFM 4.63_20) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. | |||||
| CVE-2018-2503 | 1 Sap | 1 Netweaver Application Server Java | 2021-09-09 | 3.3 LOW | 7.4 HIGH |
| By default, the SAP NetWeaver AS Java keystore service does not sufficiently restrict the access to resources that should be protected. This has been fixed in SAP NetWeaver AS Java (ServerCore versions 7.11, 7.20, 7.30, 7.31, 7.40, 7.50). | |||||