Filtered by vendor Sap
Subscribe
Total
1304 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-23852 | 1 Sap | 1 Solution Manager | 2023-02-21 | N/A | 6.1 MEDIUM |
SAP Solution Manager (System Monitoring) - version 720, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | |||||
CVE-2023-0025 | 1 Sap | 1 Solution Manager | 2023-02-21 | N/A | 5.4 MEDIUM |
SAP Solution Manager (BSP Application) - version 720, allows an authenticated attacker to craft a malicious link, which when clicked by an unsuspecting user, can be used to read or modify some sensitive information or craft a payload which may restrict access to the desired resources. | |||||
CVE-2023-0020 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2023-02-21 | N/A | 7.1 HIGH |
SAP BusinessObjects Business Intelligence platform - versions 420, 430, allows an authenticated attacker to access sensitive information which is otherwise restricted. On successful exploitation, there could be a high impact on confidentiality and limited impact on integrity of the application. | |||||
CVE-2023-0024 | 1 Sap | 1 Solution Manager | 2023-02-21 | N/A | 5.4 MEDIUM |
SAP Solution Manager (BSP Application) - version 720, allows an authenticated attacker to craft a malicious link, which when clicked by an unsuspecting user, can be used to read or modify some sensitive information or craft a payload which may restrict access to the desired resources, resulting in Cross-Site Scripting vulnerability. | |||||
CVE-2023-0019 | 1 Sap | 1 Grc Process Control | 2023-02-21 | N/A | 6.5 MEDIUM |
In SAP GRC (Process Control) - versions GRCFND_A V1200, GRCFND_A V8100, GRCPINW V1100_700, GRCPINW V1100_731, GRCPINW V1200_750, remote-enabled function module in the proprietary SAP solution enables an authenticated attacker with minimal privileges to access all the confidential data stored in the database. Successful exploitation of this vulnerability can expose user credentials from client-specific tables of the database, leading to high impact on confidentiality. | |||||
CVE-2021-21469 | 1 Sap | 1 Netweaver Master Data Management | 2023-02-10 | 5.0 MEDIUM | 7.5 HIGH |
When security guidelines for SAP NetWeaver Master Data Management running on windows have not been thoroughly reviewed, it might be possible for an external operator to try and set custom paths in the MDS server configuration. When no adequate protection has been enforced on any level (e.g., MDS Server password not set, network and OS configuration not properly secured, etc.), a malicious user might define UNC paths which could then be exploited to put the system at risk using a so-called SMB relay attack and obtain highly sensitive data, which leads to Information Disclosure. | |||||
CVE-2023-0014 | 1 Sap | 4 Netweaver Application Server Abap, Netweaver Application Server Abap Kernel, Netweaver Application Server Abap Krnl64nuc and 1 more | 2023-02-09 | N/A | 9.8 CRITICAL |
SAP NetWeaver ABAP Server and ABAP Platform - versions SAP_BASIS 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, KERNEL 7.22, 7.53, 7.77, 7.81, 7.85, 7.89, KRNL64UC 7.22, 7.22EXT, 7.53, KRNL64NUC 7.22, 7.22EXT, creates information about system identity in an ambiguous format. This could lead to capture-replay vulnerability and may be exploited by malicious users to obtain illegitimate access to the system. | |||||
CVE-2022-27657 | 1 Sap | 1 Focused Run | 2023-02-01 | 4.0 MEDIUM | 2.7 LOW |
A highly privileged remote attacker, can gain unauthorized access to display contents of restricted directories by exploiting insufficient validation of path information in SAP Focused Run (Simple Diagnostics Agent 1.0) - version 1.0. | |||||
CVE-2017-16349 | 1 Sap | 1 Business Planning And Consolidation | 2023-01-30 | 5.5 MEDIUM | 8.1 HIGH |
An exploitable XML external entity vulnerability exists in the reporting functionality of SAP BPC. A specially crafted XML request can cause an XML external entity to be referenced, resulting in information disclosure and potential denial of service. An attacker can issue authenticated HTTP requests to trigger this vulnerability. | |||||
CVE-2022-28217 | 1 Sap | 1 Netweaver | 2023-01-30 | 4.0 MEDIUM | 6.5 MEDIUM |
Some part of SAP NetWeaver (EP Web Page Composer) does not sufficiently validate an XML document accepted from an untrusted source, which allows an adversary to exploit unprotected XML parking at endpoints, and a possibility to conduct SSRF attacks that could compromise system?s Availability by causing system to crash. | |||||
CVE-2022-32249 | 1 Sap | 1 Business One | 2023-01-30 | 5.0 MEDIUM | 7.5 HIGH |
Under special integration scenario of SAP Business one and SAP HANA - version 10.0, an attacker can exploit HANA cockpit?s data volume to gain access to highly sensitive information (e.g., high privileged account credentials) | |||||
CVE-2022-35224 | 1 Sap | 1 Enterprise Portal | 2023-01-30 | 4.3 MEDIUM | 6.1 MEDIUM |
SAP Enterprise Portal - versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. This attack can be used to non-permanently deface or modify portal content. The execution of script content by a victim registered on the portal could compromise the confidentiality and integrity of victim?s web browser session. | |||||
CVE-2020-6311 | 1 Sap | 2 Bank Analyzer, S\/4hana For Financial Products Subledger | 2023-01-30 | 4.0 MEDIUM | 6.5 MEDIUM |
Banking services from SAP 9.0 (Bank Analyzer), version - 500, and SAP S/4HANA for financial products subledger, version ? 100, does not correctly perform necessary authorization checks for an authenticated user due to Improper Authorization checks, that may cause a system administrator to create incorrect authorization proposals. This may result in privilege escalation and may expose restricted banking data. | |||||
CVE-2020-6324 | 1 Sap | 1 Netweaver As Abap Business Server Pages | 2023-01-30 | 4.3 MEDIUM | 6.1 MEDIUM |
SAP Netweaver AS ABAP(BSP Test Application sbspext_table), version-700,701,720,730,731,740,750,751,752,753,754,755, allows an unauthenticated attacker to send polluted URL to the victim, when the victim clicks on this URL, the attacker can read, modify the information available in the victim?s browser leading to Reflected Cross Site Scripting. | |||||
CVE-2022-31595 | 1 Sap | 1 Adaptive Server Enterprise | 2023-01-30 | 6.5 MEDIUM | 8.8 HIGH |
SAP Financial Consolidation - version 1010,?does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. | |||||
CVE-2017-9843 | 1 Sap | 1 Netweaver Abap | 2023-01-27 | 4.0 MEDIUM | 2.7 LOW |
SAP NetWeaver AS ABAP 7.40 allows remote authenticated users with certain privileges to cause a denial of service (process crash) via vectors involving disp+work.exe, aka SAP Security Note 2406841. | |||||
CVE-2023-0016 | 1 Sap | 1 Business Planning And Consolidation | 2023-01-18 | N/A | 8.8 HIGH |
SAP BPC MS 10.0 - version 810, allows an unauthorized attacker to execute crafted database queries. The exploitation of this issue could lead to SQL injection vulnerability and could allow an attacker to access, modify, and/or delete data from the backend database. | |||||
CVE-2023-0022 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2023-01-18 | N/A | 8.8 HIGH |
SAP BusinessObjects Business Intelligence Analysis edition for OLAP allows an authenticated attacker to inject malicious code that can be executed by the application over the network. On successful exploitation, an attacker can perform operations that may completely compromise the application causing a high impact on the confidentiality, integrity, and availability of the application. | |||||
CVE-2023-0023 | 1 Sap | 1 Bank Account Management | 2023-01-13 | N/A | 5.7 MEDIUM |
In SAP Bank Account Management (Manage Banks) application, when a user clicks a smart link to navigate to another app, personal data is shown directly in the URL. They might get captured in log files, bookmarks, and so on disclosing sensitive data of the application. | |||||
CVE-2023-0018 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2023-01-13 | N/A | 6.1 MEDIUM |
Due to improper input sanitization of user-controlled input in SAP BusinessObjects Business Intelligence Platform CMC application - versions 420, and 430, an attacker with basic user-level privileges can modify/upload crystal reports containing a malicious payload. Once these reports are viewable, anyone who opens those reports would be susceptible to stored XSS attacks. As a result of the attack, information maintained in the victim's web browser can be read, modified, and sent to the attacker. |