ReportizFlow
Filtered by vendor Sap
Subscriptions
Total
1689 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2003-0944 | 1 Sap | 1 Sap Db | 2026-04-16 | N/A |
| Buffer overflow in the WAECHO default service in web-tools in SAP DB before 7.4.03.30 allows remote attackers to execute arbitrary code via a URL with a long requestURI. | ||||
| CVE-2003-0943 | 1 Sap | 1 Sap Db | 2026-04-16 | N/A |
| web-tools in SAP DB before 7.4.03.30 installs several services that are enabled by default, which could allow remote attackers to obtain potentially sensitive information or redirect attacks against internal databases via (1) waecho, (2) Web SQL Interface (websql), or (3) Web Database Manager (webdbm). | ||||
| CVE-2003-0945 | 1 Sap | 1 Sap Db | 2026-04-16 | N/A |
| The Web Database Manager in web-tools for SAP DB before 7.4.03.30 generates predictable session IDs, which allows remote attackers to conduct unauthorized activities. | ||||
| CVE-2005-3636 | 1 Sap | 1 Sap Web Application Server | 2026-04-16 | N/A |
| Cross-site scripting (XSS) vulnerability in SAP Web Application Server (WAS) 6.10 allows remote attackers to inject arbitrary web script or HTML via Error Pages. | ||||
| CVE-2006-4133 | 1 Sap | 1 Internet Graphics Server | 2026-04-16 | N/A |
| Heap-based buffer overflow in SAP Internet Graphics Service (IGS) 6.40 and earlier, and 7.00 and earlier, allows remote attackers to cause a denial of service (crash) or execute arbitrary code via an HTTP request with an ADM:GETLOGFILE command and a long portwatcher argument, which triggers the overflow during error message construction when the _snprintf function returns a negative value that is used in a memcpy operation. | ||||
| CVE-2006-2547 | 1 Sap | 1 Sapdba | 2026-04-16 | N/A |
| Unspecified vulnerability in the sapdba command in SAP with Informix before 700, and 700 up to patch 100, allows local users to execute arbitrary commands via unknown vectors related to "insecure environment variable" handling. | ||||
| CVE-2003-0747 | 1 Sap | 1 Internet Transaction Server | 2026-04-16 | N/A |
| wgate.dll in SAP Internet Transaction Server (ITS) 4620.2.0.323011 allows remote attackers to obtain potentially sensitive information such as directory structure and operating system via incorrect parameters (1) ~service, (2) ~templatelanguage, (3) ~language, (4) ~theme, or (5) ~template, which leaks the information in the resulting error message. | ||||
| CVE-2003-0940 | 1 Sap | 1 Sap Db | 2026-04-16 | N/A |
| Directory traversal vulnerability in sqlfopenc for web-tools in SAP DB before 7.4.03.30 allows remote attackers to read arbitrary files via .. (dot dot) sequences in a URL. | ||||
| CVE-2003-1034 | 1 Sap | 1 Sap Db | 2026-04-16 | N/A |
| The RPM installation of SAP DB 7.x creates the (1) dbmsrv or (2) lserver programs with world-writable permissions, which allows local users to gain privileges by modifying those programs. | ||||
| CVE-2003-1033 | 1 Sap | 1 Sap Db | 2026-04-16 | N/A |
| The (1) instdbmsrv and (2) instlserver programs in SAP DB Development Tools 7.x trust the user-provided INSTROOT environment variable as a path when assigning setuid permissions to the lserver program, which allows local users to gain root privileges via a modified INSTROOT that points to a malicious dbmsrv or lserver program. | ||||
| CVE-2003-1035 | 1 Sap | 2 Sap R 3, Sapgui | 2026-04-16 | N/A |
| The default installation of SAP R/3 46C/D allows remote attackers to bypass account locking by using the RFC API instead of the SAPGUI to conduct a brute force password guessing attack, which does not lock out the account like the SAPGUI does. | ||||
| CVE-2001-0366 | 1 Sap | 2 Sap R 3 Web Application Server Demo, Saposcol | 2026-04-16 | N/A |
| saposcol in SAP R/3 Web Application Server Demo before 1.5 trusts the PATH environmental variable to find and execute the expand program, which allows local users to obtain root access by modifying the PATH to point to a Trojan horse expand program. | ||||
| CVE-2003-0941 | 1 Sap | 1 Sap Db | 2026-04-16 | N/A |
| web-tools in SAP DB before 7.4.03.30 allows remote attackers to access the Web Agent Administration pages and modify configuration via a direct request to waadmin.wa. | ||||
| CVE-2025-42976 | 1 Sap | 2 Netweaver, Netweaver Application Server For Abap | 2026-04-15 | 8.1 High |
| SAP NetWeaver Application Server ABAP (BIC Document) allows an authenticated attacker to craft a request that, when submitted to a BIC Document application, could cause a memory corruption error. On successful exploitation, this results in the crash of the target component. Multiple submissions can make the target completely unavailable. A similarly crafted submission can be used to perform an out-of-bounds read operation as well, revealing sensitive information that is loaded in memory at that time. There is no ability to modify any information. | ||||
| CVE-2025-42922 | 1 Sap | 4 Java As, Netweaver, Netweaver Java and 1 more | 2026-04-15 | 9.9 Critical |
| SAP NetWeaver AS Java allows an attacker authenticated as a non-administrative user to use a flaw in an available service to upload an arbitrary file. This file when executed can lead to a full compromise of confidentiality, integrity and availability of the system. | ||||
| CVE-2025-42910 | 1 Sap | 1 Supplier Relationship Management | 2026-04-15 | 9 Critical |
| Due to missing verification of file type or content, SAP Supplier Relationship Management allows an authenticated attacker to upload arbitrary files. These files could include executables which might be downloaded and executed by the user which could host malware. On successful exploitation an attacker could cause high impact on confidentiality, integrity and availability of the application. | ||||
| CVE-2025-24874 | 1 Sap | 1 Commerce Backoffice | 2026-04-15 | 6.8 Medium |
| SAP Commerce (Backoffice) uses the deprecated X-FRAME-OPTIONS header to protect against clickjacking. While this protection remains effective now, it may not be the case in the future as browsers might discontinue support for this header in favor of the frame-ancestors CSP directive. Hence, clickjacking could become possible then, and lead to exposure and modification of sensitive information. | ||||
| CVE-2025-0070 | 1 Sap | 2 Abap Platform, Netweaver Application Server Abap | 2026-04-15 | 9.9 Critical |
| SAP NetWeaver Application Server for ABAP and ABAP Platform allows an authenticated attacker to obtain illegitimate access to the system by exploiting improper authentication checks, resulting in privilege escalation. On successful exploitation, this can result in potential security concerns. This results in a high impact on confidentiality, integrity, and availability. | ||||
| CVE-2024-33006 | 1 Sap | 1 Netweaver | 2026-04-15 | 9.6 Critical |
| An unauthenticated attacker can upload a malicious file to the server which when accessed by a victim can allow an attacker to completely compromise system. | ||||
| CVE-2025-42955 | 1 Sap | 1 Cloud Connector | 2026-04-15 | 3.5 Low |
| Due to a missing authorization check in SAP Cloud Connector, an attacker on an adjacent network with low privileges could send a crafted request to the endpoint responsible for testing LDAP connections. A successful exploit could lead to reduced performance, hence a low-impact on availability of the service. Confidentiality and integrity of the data are not affected. | ||||