Skip to main content

Business One

30 CVEs product

Monthly

CVE-2026-24319 MEDIUM This Month

SAP Business One stores sensitive data unencrypted in memory dump files, allowing high-privileged local users with user interaction to extract credentials and other confidential information. An attacker with access to these dumps could leverage the exposed data to perform unauthorized operations and modify company data within the B1 environment. No patch is currently available for this medium-severity vulnerability.

SAP Business One
NVD
CVSS 3.1
5.8
EPSS
0.0%
CVE-2023-31403 HIGH This Week

SAP Business One installation - version 10.0, does not perform proper authentication and authorization checks for SMB shared folder. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. No vendor patch available.

SAP Authentication Bypass Business One
NVD
CVSS 3.1
8.0
EPSS
0.4%
CVE-2023-41365 MEDIUM This Month

SAP Business One (B1i) - version 10.0, allows an authorized attacker to retrieve the details stack trace of the fault message to conduct the XXE injection, which will lead to information disclosure. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Information Disclosure XXE Business One
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2023-39437 MEDIUM This Month

SAP business One allows - version 10.0, allows an attacker to insert malicious code into the content of a web page or application and gets it delivered to the client, resulting to Cross-site. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP XSS Business One
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2023-37487 MEDIUM This Month

SAP Business One (Service Layer) - version 10.0, allows an authenticated attacker with deep knowledge perform certain operation to access unintended data over the network which could lead to high. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable. No vendor patch available.

SAP Information Disclosure Business One
NVD
CVSS 3.1
5.3
EPSS
0.4%
CVE-2023-33993 HIGH This Week

B1i module of SAP Business One - version 10.0, application allows an authenticated user with deep knowledge to send crafted queries over the network to read or modify the SQL data. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

SAP SQLi Business One
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2022-35292 HIGH This Week

In SAP Business One application when a service is created, the executable path contains spaces and isn’t enclosed within quotes, leading to a vulnerability known as Unquoted Service Path which allows. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure SAP Business One
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2022-35168 HIGH This Week

Due to improper input sanitization of XML input in SAP Business One - version 10.0, an attacker can perform a denial-of-service attack rendering the system temporarily inoperative. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP XXE Business One
NVD
CVSS 3.1
7.5
EPSS
0.8%
CVE-2022-32249 HIGH This Week

Under special integration scenario of SAP Business one and SAP HANA - version 10.0, an attacker can exploit HANA cockpit�s data volume to gain access to highly sensitive information (e.g., high. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Information Disclosure Business One
NVD
CVSS 3.1
7.5
EPSS
0.9%
CVE-2022-31593 HIGH This Week

SAP Business One client - version 10.0 allows an attacker with low privileges, to inject code that can be executed by the application. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection SAP Business One
NVD
CVSS 3.1
8.8
EPSS
0.9%
CVE-2021-42066 MEDIUM PATCH This Month

SAP Business One - version 10.0, allows an admin user to view DB password in plain text over the network, which should otherwise be encrypted. Rated medium severity (CVSS 4.4), this vulnerability is remotely exploitable.

Information Disclosure SAP Business One
NVD
CVSS 3.1
4.4
EPSS
0.4%
CVE-2021-38180 CRITICAL Act Now

SAP Business One - version 10.0, allows an attacker to inject formulas when exporting data to Excel (CSV injection) due to improper sanitation during the data export. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection SAP Business One
NVD
CVSS 3.1
9.8
EPSS
2.0%
CVE-2021-38179 MEDIUM This Month

Debug function of Admin UI of SAP Business One Integration is enabled by default. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure SAP Business One
NVD
CVSS 3.1
4.9
EPSS
0.8%
CVE-2021-33704 HIGH PATCH This Week

The Service Layer of SAP Business One, version - 10.0, allows an authenticated attacker to invoke certain functions that would otherwise be restricted to specific users. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

SAP Authentication Bypass Business One
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2021-33700 HIGH PATCH This Week

SAP Business One, version - 10.0, allows a local attacker with access to the victim's browser under certain circumstances, to login as the victim without knowing his/her password. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Information Disclosure SAP Business One
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2021-33698 HIGH PATCH This Week

SAP Business One, version - 10.0, allows an attacker with business authorization to upload any files (including script files) without the proper file format validation. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

SAP File Upload Business One
NVD
CVSS 3.1
8.8
EPSS
1.1%
CVE-2021-37532 MEDIUM This Month

SAP Business One version - 10, due to improper input validation, allows an authenticated User to gain access to directory and view the contents of index in the directory, which would otherwise be. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal SAP Business One
NVD
CVSS 3.1
4.3
EPSS
0.8%
CVE-2021-33688 MEDIUM This Month

SAP Business One allows an attacker with business privileges to execute crafted database queries, exposing the back-end database. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi SAP Business One
NVD
CVSS 3.1
4.3
EPSS
0.7%
CVE-2021-33686 MEDIUM This Month

Under certain conditions, SAP Business One version - 10.0, allows an unauthorized attacker to get access to some encrypted sensitive information, but does not have control over kind or degree. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure SAP Business One
NVD
CVSS 3.1
5.3
EPSS
0.8%
CVE-2021-33685 MEDIUM This Month

SAP Business One version - 10.0 allows low-level authorized attacker to traverse the file system to access files or directories that are outside of the restricted directory. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Path Traversal SAP Business One
NVD
CVSS 3.1
6.5
EPSS
1.0%
CVE-2021-33662 MEDIUM This Month

Under certain conditions, the installation of SAP Business One, version - 10.0, discloses sensitive information on the file system allowing an attacker to access information which would otherwise be. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure SAP Business One
NVD
CVSS 3.1
4.4
EPSS
0.3%
CVE-2021-27616 HIGH This Week

Under certain conditions, SAP Business One Hana Chef Cookbook, versions - 8.82, 9.0, 9.1, 9.2, 9.3, 10.0, used to install SAP Business One for SAP HANA, allows an attacker to exploit an insecure. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure SAP Business One Hana Chef Cookbook Business One
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2021-27614 HIGH This Week

SAP Business One Hana Chef Cookbook, versions - 8.82, 9.0, 9.1, 9.2, 9.3, 10.0, used to install SAP Business One on SAP HANA, allows an attacker to inject code that can be executed by the. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. No vendor patch available.

Code Injection SAP Business One Hana Chef Cookbook Business One
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2020-6239 MEDIUM This Month

Under certain conditions SAP Business One (Backup service), versions 9.3, 10.0, allows an attacker with admin permissions to view SYSTEM user password in clear text, leading to Information Disclosure. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity. No vendor patch available.

SAP Information Disclosure Business One
NVD
CVSS 3.1
4.4
EPSS
0.3%
CVE-2019-0256 MEDIUM This Month

Under certain conditions SAP Business One Mobile Android App, version 1.2.12, allows an attacker to access information which would otherwise be restricted. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Google Information Disclosure SAP Business One
NVD
CVSS 3.0
5.5
EPSS
0.4%
CVE-2018-2460 MEDIUM This Month

SAP Business One Android application, version 1.2, does not verify the certificate properly for HTTPS connection. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Google Information Disclosure SAP Business One
NVD
CVSS 3.0
5.9
EPSS
0.8%
CVE-2018-2458 HIGH This Week

Under certain conditions, Crystal Report using SAP Business One, versions 9.2 and 9.3, connection type allows an attacker to access information which would otherwise be restricted. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure SAP Business One
NVD
CVSS 3.0
7.5
EPSS
1.7%
CVE-2018-2425 MEDIUM This Month

Under certain conditions, SAP Business One, 9.2, 9.3, for SAP HANA backup service allows an attacker to access information which would otherwise be restricted. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure SAP Business One
NVD
CVSS 3.0
5.5
EPSS
0.4%
CVE-2018-2410 MEDIUM This Month

SAP Business One, 9.2, 9.3, browser access does not sufficiently encode user controlled inputs, which results in a Cross-Site Scripting (XSS) vulnerability. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS SAP Business One
NVD
CVSS 3.0
5.4
EPSS
1.0%
CVE-2016-6256 CRITICAL POC THREAT Emergency

SAP Business One for Android 1.2.3 allows remote attackers to conduct XML External Entity (XXE) attacks via crafted XML data in a request to. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 10.1%.

Google XXE SAP Business One
NVD Exploit-DB
CVSS 3.0
9.6
EPSS
10.1%
EPSS 0% CVSS 5.8
MEDIUM This Month

SAP Business One stores sensitive data unencrypted in memory dump files, allowing high-privileged local users with user interaction to extract credentials and other confidential information. An attacker with access to these dumps could leverage the exposed data to perform unauthorized operations and modify company data within the B1 environment. No patch is currently available for this medium-severity vulnerability.

SAP Business One
NVD
EPSS 0% CVSS 8.0
HIGH This Week

SAP Business One installation - version 10.0, does not perform proper authentication and authorization checks for SMB shared folder. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. No vendor patch available.

SAP Authentication Bypass Business One
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

SAP Business One (B1i) - version 10.0, allows an authorized attacker to retrieve the details stack trace of the fault message to conduct the XXE injection, which will lead to information disclosure. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Information Disclosure XXE +1
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

SAP business One allows - version 10.0, allows an attacker to insert malicious code into the content of a web page or application and gets it delivered to the client, resulting to Cross-site. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP XSS Business One
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

SAP Business One (Service Layer) - version 10.0, allows an authenticated attacker with deep knowledge perform certain operation to access unintended data over the network which could lead to high. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable. No vendor patch available.

SAP Information Disclosure Business One
NVD
EPSS 0% CVSS 7.5
HIGH This Week

B1i module of SAP Business One - version 10.0, application allows an authenticated user with deep knowledge to send crafted queries over the network to read or modify the SQL data. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

SAP SQLi Business One
NVD
EPSS 0% CVSS 7.8
HIGH This Week

In SAP Business One application when a service is created, the executable path contains spaces and isn’t enclosed within quotes, leading to a vulnerability known as Unquoted Service Path which allows. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure SAP Business One
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Due to improper input sanitization of XML input in SAP Business One - version 10.0, an attacker can perform a denial-of-service attack rendering the system temporarily inoperative. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP XXE Business One
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Under special integration scenario of SAP Business one and SAP HANA - version 10.0, an attacker can exploit HANA cockpit�s data volume to gain access to highly sensitive information (e.g., high. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Information Disclosure Business One
NVD
EPSS 1% CVSS 8.8
HIGH This Week

SAP Business One client - version 10.0 allows an attacker with low privileges, to inject code that can be executed by the application. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection SAP Business One
NVD
EPSS 0% CVSS 4.4
MEDIUM PATCH This Month

SAP Business One - version 10.0, allows an admin user to view DB password in plain text over the network, which should otherwise be encrypted. Rated medium severity (CVSS 4.4), this vulnerability is remotely exploitable.

Information Disclosure SAP Business One
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

SAP Business One - version 10.0, allows an attacker to inject formulas when exporting data to Excel (CSV injection) due to improper sanitation during the data export. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection SAP Business One
NVD
EPSS 1% CVSS 4.9
MEDIUM This Month

Debug function of Admin UI of SAP Business One Integration is enabled by default. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure SAP Business One
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

The Service Layer of SAP Business One, version - 10.0, allows an authenticated attacker to invoke certain functions that would otherwise be restricted to specific users. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

SAP Authentication Bypass Business One
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

SAP Business One, version - 10.0, allows a local attacker with access to the victim's browser under certain circumstances, to login as the victim without knowing his/her password. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Information Disclosure SAP Business One
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

SAP Business One, version - 10.0, allows an attacker with business authorization to upload any files (including script files) without the proper file format validation. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

SAP File Upload Business One
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

SAP Business One version - 10, due to improper input validation, allows an authenticated User to gain access to directory and view the contents of index in the directory, which would otherwise be. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal SAP Business One
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

SAP Business One allows an attacker with business privileges to execute crafted database queries, exposing the back-end database. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi SAP Business One
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

Under certain conditions, SAP Business One version - 10.0, allows an unauthorized attacker to get access to some encrypted sensitive information, but does not have control over kind or degree. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure SAP Business One
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

SAP Business One version - 10.0 allows low-level authorized attacker to traverse the file system to access files or directories that are outside of the restricted directory. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Path Traversal SAP +1
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Under certain conditions, the installation of SAP Business One, version - 10.0, discloses sensitive information on the file system allowing an attacker to access information which would otherwise be. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure SAP Business One
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Under certain conditions, SAP Business One Hana Chef Cookbook, versions - 8.82, 9.0, 9.1, 9.2, 9.3, 10.0, used to install SAP Business One for SAP HANA, allows an attacker to exploit an insecure. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure SAP Business One Hana Chef Cookbook +1
NVD
EPSS 0% CVSS 7.1
HIGH This Week

SAP Business One Hana Chef Cookbook, versions - 8.82, 9.0, 9.1, 9.2, 9.3, 10.0, used to install SAP Business One on SAP HANA, allows an attacker to inject code that can be executed by the. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. No vendor patch available.

Code Injection SAP Business One Hana Chef Cookbook +1
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Under certain conditions SAP Business One (Backup service), versions 9.3, 10.0, allows an attacker with admin permissions to view SYSTEM user password in clear text, leading to Information Disclosure. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity. No vendor patch available.

SAP Information Disclosure Business One
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Under certain conditions SAP Business One Mobile Android App, version 1.2.12, allows an attacker to access information which would otherwise be restricted. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Google Information Disclosure SAP +1
NVD
EPSS 1% CVSS 5.9
MEDIUM This Month

SAP Business One Android application, version 1.2, does not verify the certificate properly for HTTPS connection. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Google Information Disclosure SAP +1
NVD
EPSS 2% CVSS 7.5
HIGH This Week

Under certain conditions, Crystal Report using SAP Business One, versions 9.2 and 9.3, connection type allows an attacker to access information which would otherwise be restricted. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure SAP Business One
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Under certain conditions, SAP Business One, 9.2, 9.3, for SAP HANA backup service allows an attacker to access information which would otherwise be restricted. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure SAP Business One
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

SAP Business One, 9.2, 9.3, browser access does not sufficiently encode user controlled inputs, which results in a Cross-Site Scripting (XSS) vulnerability. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS SAP Business One
NVD
EPSS 10% CVSS 9.6
CRITICAL POC THREAT Emergency

SAP Business One for Android 1.2.3 allows remote attackers to conduct XML External Entity (XXE) attacks via crafted XML data in a request to. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 10.1%.

Google XXE SAP +1
NVD Exploit-DB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy