ReportizFlow
Filtered by vendor Sap
Subscriptions
Total
1493 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2010-5326 | 1 Sap | 1 Netweaver Application Server Java | 2024-12-19 | 10.0 Critical |
| The Invoker Servlet on SAP NetWeaver Application Server Java platforms, possibly before 7.3, does not require authentication, which allows remote attackers to execute arbitrary code via an HTTP or HTTPS request, as exploited in the wild in 2013 through 2016, aka a "Detour" attack. | ||||
| CVE-2024-42375 | 1 Sap | 1 Business Objects Business Intelligence Platform | 2024-12-10 | 4.3 Medium |
| SAP BusinessObjects Business Intelligence Platform allows an authenticated attacker to upload malicious code over the network, that could be executed by the application. On successful exploitation, the attacker can cause a low impact on the Integrity of the application. | ||||
| CVE-2024-41731 | 1 Sap | 1 Business Objects Business Intelligence Platform | 2024-12-10 | 3.1 Low |
| SAP BusinessObjects Business Intelligence Platform allows an authenticated attacker to upload malicious code over the network, that could be executed by the application. On successful exploitation, the attacker can cause a low impact on the Integrity of the application. | ||||
| CVE-2024-28166 | 1 Sap | 1 Business Objects Business Intelligence Platform | 2024-12-10 | 3.7 Low |
| SAP BusinessObjects Business Intelligence Platform allows an authenticated attacker to upload malicious code over the network, that could be executed by the application. On successful exploitation, the attacker can cause a low impact on the Integrity of the application. | ||||
| CVE-2023-33987 | 1 Sap | 1 Web Dispatcher | 2024-12-04 | 8.6 High |
| An unauthenticated attacker in SAP Web Dispatcher - versions WEBDISP 7.49, WEBDISP 7.53, WEBDISP 7.54, WEBDISP 7.77, WEBDISP 7.81, WEBDISP 7.85, WEBDISP 7.88, WEBDISP 7.89, WEBDISP 7.90, KERNEL 7.49, KERNEL 7.53, KERNEL 7.54 KERNEL 7.77, KERNEL 7.81, KERNEL 7.85, KERNEL 7.88, KERNEL 7.89, KERNEL 7.90, KRNL64NUC 7.49, KRNL64UC 7.49, KRNL64UC 7.53, HDB 2.00, XS_ADVANCED_RUNTIME 1.00, SAP_EXTENDED_APP_SERVICES 1, can submit a malicious crafted request over a network to a front-end server which may, over several attempts, result in a back-end server confusing the boundaries of malicious and legitimate messages. This can result in the back-end server executing a malicious payload which can be used to read or modify information on the server or make it temporarily unavailable. | ||||
| CVE-2014-5173 | 1 Sap | 1 Hana Extended Application Services | 2024-12-04 | N/A |
| SAP HANA Extend Application Services (XS) allows remote attackers to bypass access restrictions via a request to a private IU5 SDK application that was once public. | ||||
| CVE-2023-42479 | 1 Sap | 1 Biller Direct | 2024-11-26 | 6.1 Medium |
| An unauthenticated attacker can embed a hidden access to a Biller Direct URL in a frame which, when loaded by the user, will submit a cross-site scripting request to the Biller Direct system. This can result in the disclosure or modification of non-sensitive information. | ||||
| CVE-2023-49587 | 1 Sap | 1 Solution Manager | 2024-11-26 | 6.4 Medium |
| SAP Solution Manager - version 720, allows an authorized attacker to execute certain deprecated function modules which can read or modify data of same or other component without user interaction over the network. | ||||
| CVE-2024-39598 | 1 Sap | 2 Customer Relationship Management S4fnd, Customer Relationship Management Webclient Ui | 2024-11-21 | 5 Medium |
| SAP CRM (WebClient UI Framework) allows an authenticated attacker to enumerate accessible HTTP endpoints in the internal network by specially crafting HTTP requests. On successful exploitation this can result in information disclosure. It has no impact on integrity and availability of the application. | ||||
| CVE-2024-39597 | 1 Sap | 2 Commerce Cloud, Commerce Hycom | 2024-11-21 | 7.2 High |
| In SAP Commerce, a user can misuse the forgotten password functionality to gain access to a Composable Storefront B2B site for which early login and registration is activated, without requiring the merchant to approve the account beforehand. If the site is not configured as isolated site, this can also grant access to other non-isolated early login sites, even if registration is not enabled for those other sites. | ||||
| CVE-2024-39593 | 1 Sap | 1 Landscape Management | 2024-11-21 | 6.9 Medium |
| SAP Landscape Management allows an authenticated user to read confidential data disclosed by the REST Provider Definition response. Successful exploitation can cause high impact on confidentiality of the managed entities. | ||||
| CVE-2024-39592 | 2 Sap, Sap Se | 3 S4core, S4coreop, Sap Pdce | 2024-11-21 | 7.7 High |
| Elements of PDCE does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This allows an attacker to read sensitive information causing high impact on the confidentiality of the application. | ||||
| CVE-2024-37176 | 1 Sap | 1 Bw\/4hana | 2024-11-21 | 5.5 Medium |
| SAP BW/4HANA Transformation and Data Transfer Process (DTP) allows an authenticated attacker to gain higher access levels than they should have by exploiting improper authorization checks. This results in escalation of privileges. It has no impact on the confidentiality of data but may have low impacts on the integrity and availability of the application. | ||||
| CVE-2024-37175 | 1 Sap | 2 Customer Relationship Management S4fnd, Customer Relationship Management Webclient Ui | 2024-11-21 | 4.3 Medium |
| SAP CRM WebClient does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges. This could allow an attacker to access some sensitive information. | ||||
| CVE-2024-37174 | 1 Sap | 2 Customer Relationship Management S4fnd, Customer Relationship Management Webclient Ui | 2024-11-21 | 6.1 Medium |
| Custom CSS support option in SAP CRM WebClient UI does not sufficiently encode user-controlled inputs resulting in Cross-Site Scripting vulnerability. On successful exploitation an attacker can cause limited impact on confidentiality and integrity of the application. | ||||
| CVE-2024-37173 | 1 Sap | 2 Customer Relationship Management S4fnd, Customer Relationship Management Webclient Ui | 2024-11-21 | 6.1 Medium |
| Due to insufficient input validation, SAP CRM WebClient UI allows an unauthenticated attacker to craft a URL link which embeds a malicious script. When a victim clicks on this link, the script will be executed in the victim's browser giving the attacker the ability to access and/or modify information with no effect on availability of the application. | ||||
| CVE-2024-37172 | 1 Sap | 2 S4core, S\/4hana | 2024-11-21 | 5.4 Medium |
| SAP S/4HANA Finance (Advanced Payment Management) does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges. As a result, it has a low impact to confidentiality and availability but there is no impact on the integrity. | ||||
| CVE-2024-37171 | 1 Sap | 2 Saptmui, Transportation Management | 2024-11-21 | 5 Medium |
| SAP Transportation Management (Collaboration Portal) allows an attacker with non-administrative privileges to send a crafted request from a vulnerable web application. This will trigger the application handler to send a request to an unintended service, which may reveal information about that service. The information obtained could be used to target internal systems behind firewalls that are normally inaccessible to an attacker from the external network, resulting in a Server-Side Request Forgery vulnerability. There is no effect on integrity or availability of the application. | ||||
| CVE-2024-34692 | 1 Sap | 1 Enable Now | 2024-11-21 | 3.3 Low |
| Due to missing verification of file type or content, SAP Enable Now allows an authenticated attacker to upload arbitrary files. These files include executables which might be downloaded and executed by the user which could host malware. On successful exploitation an attacker can cause limited impact on confidentiality and Integrity of the application. | ||||
| CVE-2024-34691 | 1 Sap | 1 S\/4 Hana | 2024-11-21 | 6.5 Medium |
| Manage Incoming Payment Files (F1680) of SAP S/4HANA does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. As a result, it has high impact on integrity and no impact on the confidentiality and availability of the system. | ||||