Filtered by vendor Sap
Subscribe
Total
1304 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-33689 | 1 Sap | 1 Netweaver Application Server Java | 2021-07-16 | 4.0 MEDIUM | 4.3 MEDIUM |
| When user with insufficient privileges tries to access any application in SAP NetWeaver Administrator (Administrator applications), version - 7.50, no security audit log is created. Therefore, security audit log Integrity is impacted. | |||||
| CVE-2021-33667 | 1 Sap | 1 Businessobjects Web Intelligence | 2021-07-16 | 4.0 MEDIUM | 4.3 MEDIUM |
| Under certain conditions, SAP Business Objects Web Intelligence (BI Launchpad) versions - 420, 430, allows an attacker to access jsp source code, through SDK calls, of Analytical Reporting bundle, a part of the frontend application, which would otherwise be restricted. | |||||
| CVE-2021-33681 | 1 Sap | 1 3d Visual Enterprise Viewer | 2021-07-16 | 4.3 MEDIUM | 6.5 MEDIUM |
| SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated CGM file received from untrusted sources which causes out of bounds write and causes the application to crash and becoming temporarily unavailable until the user restarts the application. | |||||
| CVE-2021-33671 | 1 Sap | 1 Netweaver Guided Procedures | 2021-07-16 | 6.5 MEDIUM | 8.8 HIGH |
| SAP NetWeaver Guided Procedures (Administration Workset), versions - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. The impact of missing authorization could result to abuse of functionality restricted to a particular user group, and could allow unauthorized users to read, modify or delete restricted data. | |||||
| CVE-2021-33676 | 1 Sap | 1 Customer Relationship Management | 2021-07-16 | 6.5 MEDIUM | 7.2 HIGH |
| A missing authority check in SAP CRM, versions - 700, 701, 702, 712, 713, 714, could be leveraged by an attacker with high privileges to compromise confidentiality, integrity, or availability of the system. | |||||
| CVE-2021-33682 | 1 Sap | 1 Lumira Server | 2021-07-16 | 3.5 LOW | 5.4 MEDIUM |
| SAP Lumira Server version 2.4 does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. This would allow an attacker with basic level privileges to store a malicious script on SAP Lumira Server. The execution of the script content, by a victim registered on SAP Lumira Server, could compromise the confidentiality and integrity of SAP Lumira content. | |||||
| CVE-2021-33680 | 1 Sap | 1 3d Visual Enterprise Viewer | 2021-07-16 | 4.3 MEDIUM | 6.5 MEDIUM |
| SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated CGM file received from untrusted sources which causes buffer overflow and causes the application to crash and becoming temporarily unavailable until the user restarts the application. | |||||
| CVE-2021-27612 | 1 Sap | 1 Gui For Windows | 2021-06-29 | 5.8 MEDIUM | 6.1 MEDIUM |
| In specific situations SAP GUI for Windows until and including 7.60 PL9, 7.70 PL0, forwards a user to specific malicious website which could contain malware or might lead to phishing attacks to steal credentials of the victim. | |||||
| CVE-2021-33666 | 1 Sap | 1 Commerce Cloud | 2021-06-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| When SAP Commerce Cloud version 100, hosts a JavaScript storefront, it is vulnerable to MIME sniffing, which, in certain circumstances, could be used to facilitate an XSS attack or malware proliferation. | |||||
| CVE-2020-6364 | 1 Sap | 1 Introscope Enterprise Manager | 2021-06-17 | 10.0 HIGH | 10.0 CRITICAL |
| SAP Solution Manager and SAP Focused Run (update provided in WILY_INTRO_ENTERPRISE 9.7, 10.1, 10.5, 10.7), allows an attacker to modify a cookie in a way that OS commands can be executed and potentially gain control over the host running the CA Introscope Enterprise Manager,leading to Code Injection. With this, the attacker is able to read and modify all system files and also impact system availability. | |||||
| CVE-2020-26809 | 1 Sap | 1 Commerce Cloud | 2021-06-17 | 5.0 MEDIUM | 5.3 MEDIUM |
| SAP Commerce Cloud, versions- 1808,1811,1905,2005, allows an attacker to bypass existing authentication and permission checks via the '/medias' endpoint hence gaining access to Secure Media folders. This folder could contain sensitive files that results in disclosure of sensitive information and impact system configuration confidentiality. | |||||
| CVE-2020-6369 | 1 Sap | 2 Focused Run, Solution Manager | 2021-06-17 | 4.3 MEDIUM | 5.9 MEDIUM |
| SAP Solution Manager and SAP Focused Run (update provided in WILY_INTRO_ENTERPRISE 9.7, 10.1, 10.5, 10.7), allows an unauthenticated attackers to bypass the authentication if the default passwords for Admin and Guest have not been changed by the administrator.This may impact the confidentiality of the service. | |||||
| CVE-2020-26811 | 1 Sap | 1 Commerce Cloud \(accelerator Payment Mock\) | 2021-06-17 | 5.0 MEDIUM | 5.3 MEDIUM |
| SAP Commerce Cloud (Accelerator Payment Mock), versions - 1808, 1811, 1905, 2005, allows an unauthenticated attacker to submit a crafted request over a network to a particular SAP Commerce module URL which will be processed without further interaction, the crafted request leads to Server Side Request Forgery attack which could lead to retrieval of limited pieces of information about the service with no impact on integrity or availability. | |||||
| CVE-2020-26830 | 1 Sap | 1 Solution Manager | 2021-06-17 | 5.5 MEDIUM | 8.1 HIGH |
| SAP Solution Manager 7.2 (User Experience Monitoring), version - 7.2, does not perform necessary authorization checks for an authenticated user. Due to inadequate access control, a network attacker authenticated as a regular user can use operations which should be restricted to administrators. These operations can be used to Change the User Experience Monitoring configuration, obtain details about the configured SAP Solution Manager agents, Deploy a malicious User Experience Monitoring script. | |||||
| CVE-2020-26836 | 1 Sap | 1 Solution Manager | 2021-06-17 | 5.8 MEDIUM | 6.1 MEDIUM |
| SAP Solution Manager (Trace Analysis), version - 720, allows for misuse of a parameter in the application URL leading to Open Redirect vulnerability, an attacker can enter a link to malicious site which could trick the user to enter credentials or download malicious software, as a parameter in the application URL and share it with the end user who could potentially become a victim of the attack. | |||||
| CVE-2020-26837 | 1 Sap | 1 Solution Manager | 2021-06-17 | 6.5 MEDIUM | 9.1 CRITICAL |
| SAP Solution Manager 7.2 (User Experience Monitoring), version - 7.2, allows an authenticated user to upload a malicious script that can exploit an existing path traversal vulnerability to compromise confidentiality exposing elements of the file system, partially compromise integrity allowing the modification of some configurations and partially compromise availability by making certain services unavailable. | |||||
| CVE-2020-6207 | 1 Sap | 1 Solution Manager | 2021-06-17 | 10.0 HIGH | 9.8 CRITICAL |
| SAP Solution Manager (User Experience Monitoring), version- 7.2, due to Missing Authentication Check does not perform any authentication for a service resulting in complete compromise of all SMDAgents connected to the Solution Manager. | |||||
| CVE-2021-33665 | 1 Sap | 1 Netweaver Application Server Abap | 2021-06-15 | 3.5 LOW | 5.4 MEDIUM |
| SAP NetWeaver Application Server ABAP (Applications based on SAP GUI for HTML), versions - KRNL64NUC - 7.49, KRNL64UC - 7.49,7.53, KERNEL - 7.49,7.53,7.77,7.81,7.84, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2021-33664 | 1 Sap | 1 Netweaver Application Server Abap | 2021-06-15 | 3.5 LOW | 5.4 MEDIUM |
| SAP NetWeaver Application Server ABAP (Applications based on Web Dynpro ABAP), versions - SAP_UI - 750,752,753,754,755, SAP_BASIS - 702, 731 does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2021-27615 | 1 Sap | 1 Manufacturing Execution | 2021-06-15 | 3.5 LOW | 5.4 MEDIUM |
| SAP Manufacturing Execution versions - 15.1, 1.5.2, 15.3, 15.4, does not contain some HTTP security headers in their HTTP response. The lack of these headers in response can be exploited by the attacker to execute Cross-Site Scripting (XSS) attacks. | |||||