Filtered by vendor Sap
Subscribe
Total
1304 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-0284 | 1 Sap | 1 Hana | 2019-04-11 | 3.6 LOW | 6.0 MEDIUM |
| SLD Registration in SAP HANA (fixed in versions 1.0, 2.0) does not sufficiently validate an XML document accepted from an untrusted source. The attacker can call SLDREG with an XML file containing a reference to an XML External Entity (XXE). This can cause SLDREG to, for example, continuously loop, read arbitrary files and even send local files. | |||||
| CVE-2018-2416 | 1 Sap | 1 Identity Management | 2019-03-14 | 5.5 MEDIUM | 5.4 MEDIUM |
| SAP Identity Management 7.2 and 8.0 do not sufficiently validate an XML document accepted from an untrusted source. | |||||
| CVE-2019-0277 | 1 Sap | 1 Hana Extended Application Services | 2019-03-13 | 5.5 MEDIUM | 6.5 MEDIUM |
| SAP HANA extended application services, version 1, advanced does not sufficiently validate an XML document accepted from an authenticated developer with privileges to the SAP space (XML External Entity vulnerability). | |||||
| CVE-2019-0265 | 1 Sap | 5 Advanced Business Application Programming Platform Kernel, Advanced Business Application Programming Platform Krnl32nuc, Advanced Business Application Programming Platform Krnl32uc and 2 more | 2019-03-13 | 4.0 MEDIUM | 4.9 MEDIUM |
| SLD Registration of ABAP Platform allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service. Fixed in versions KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT,KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49,KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49. 7.73 KERNEL from 7.21 to 7.22, 7.45, 7.49, 7.53, 7.73, 7.75. | |||||
| CVE-2019-0268 | 1 Sap | 1 Businessobjects Business Intelligence | 2019-03-13 | 5.5 MEDIUM | 8.1 HIGH |
| SAP BusinessObjects Business Intelligence Platform (CMC Module), versions 4.10, 4.20 and 4.30, does not sufficiently validate an XML document accepted from an untrusted source. | |||||
| CVE-2019-0269 | 1 Sap | 1 Businessobjects Business Intelligence | 2019-03-13 | 3.5 LOW | 5.4 MEDIUM |
| SAP BusinessObjects Business Intelligence Platform (BI Workspace), versions 4.10 and 4.20, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2016-6857 | 1 Sap | 1 Hybris | 2019-03-07 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the Create Catalogue feature in Hybris Management Console (HMC) in SAP Hybris before 5.2.0.13, 5.3.x before 5.3.0.11, 5.4.x before 5.4.0.11, 5.5.0.x before 5.5.0.10, 5.5.1.x before 5.5.1.11, 5.6.x before 5.6.0.11, and 5.7.x before 5.7.0.15 allows remote authenticated users to inject arbitrary web script or HTML via the ID field. | |||||
| CVE-2019-0255 | 1 Sap | 3 Advanced Business Application Programming Platform Kernel, Advanced Business Application Programming Platform Krnl64nuc, Advanced Business Application Programming Platform Krnl64uc | 2019-02-22 | 5.5 MEDIUM | 8.1 HIGH |
| SAP NetWeaver AS ABAP Platform, Krnl64nuc 7.74, krnl64UC 7.73, 7.74, Kernel 7.73, 7.74, 7.75, fails to validate type of installation for an ABAP Server system correctly. That behavior may lead to situation, where business user achieves access to the full SAP Menu, that is 'Easy Access Menu'. The situation can be misused by any user to leverage privileges to business functionality. | |||||
| CVE-2019-0254 | 1 Sap | 1 Disclosure Management | 2019-02-20 | 3.5 LOW | 5.4 MEDIUM |
| SAP Disclosure Management (before version 10.1 Stack 1301) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2019-0259 | 1 Sap | 1 Businessobjects | 2019-02-20 | 7.5 HIGH | 9.8 CRITICAL |
| SAP BusinessObjects, versions 4.2 and 4.3, (Visual Difference) allows an attacker to upload any file (including script files) without proper file format validation. | |||||
| CVE-2019-0267 | 1 Sap | 1 Manufacturing Integration And Intelligence | 2019-02-20 | 6.8 MEDIUM | 8.8 HIGH |
| SAP Manufacturing Integration and Intelligence, versions 15.0, 15.1 and 15.2, (Illuminator Servlet) currently does not provide Anti-XSRF tokens. This might lead to XSRF attacks in case the data is being posted to the Servlet from an external application. | |||||
| CVE-2019-0262 | 1 Sap | 1 Businessobjects Bi Platform | 2019-02-19 | 3.5 LOW | 5.4 MEDIUM |
| SAP WebIntelligence BILaunchPad, versions 4.10, 4.20, does not sufficiently encode user-controlled inputs in generated HTML reports, resulting in Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2019-0251 | 1 Sap | 1 Businessobjects | 2019-02-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Fiori Launchpad of SAP BusinessObjects, before versions 4.2 and 4.3, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2018-2477 | 1 Sap | 1 Netweaver | 2019-02-01 | 6.5 MEDIUM | 8.8 HIGH |
| Knowledge Management (XMLForms) in SAP NetWeaver, versions 7.30, 7.31, 7.40 and 7.50 does not sufficiently validate an XML document accepted from an untrusted source. | |||||
| CVE-2018-2491 | 1 Sap | 1 Fiori Client | 2019-02-01 | 6.8 MEDIUM | 7.8 HIGH |
| When opening a deep link URL in SAP Fiori Client with log level set to "Debug", the client application logs the URL to the log file. If this URL contains malicious JavaScript code it can eventually run inside the built-in log viewer of the application in case user opens the viewer and taps on the hyperlink in the viewer. SAP Fiori Client version 1.11.5 in Google Play store addresses these issues and users must update to that version. | |||||
| CVE-2019-0247 | 1 Sap | 1 Cloud Connector | 2019-01-17 | 7.5 HIGH | 9.8 CRITICAL |
| SAP Cloud Connector, before version 2.11.3, allows an attacker to inject code that can be executed by the application. An attacker could thereby control the behavior of the application. | |||||
| CVE-2019-0238 | 1 Sap | 1 Hybris | 2019-01-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP Commerce (previously known as SAP Hybris Commerce), before version 6.7, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2019-0245 | 1 Sap | 3 Customer Relationship Management Webclient Ui, S4fnd, Sapscore | 2019-01-17 | 3.5 LOW | 5.4 MEDIUM |
| SAP CRM WebClient UI (fixed in SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2019-0244 | 1 Sap | 3 Customer Relationship Management Webclient Ui, S4fnd, Sapscore | 2019-01-17 | 3.5 LOW | 5.4 MEDIUM |
| SAP CRM WebClient UI (fixed in SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2018-2486 | 1 Sap | 2 Marketing Sapscore, Marketing Uicuan | 2019-01-07 | 3.5 LOW | 5.4 MEDIUM |
| SAP Marketing (UICUAN (1.20, 1.30, 1.40), SAPSCORE (1.13, 1.14)) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | |||||