Skip to main content

SAP

1669 CVEs vendor

Monthly

CVE-2020-6216 MEDIUM This Month

SAP Business Objects Business Intelligence Platform (BI Launchpad), version 4.2, does not sufficiently encode user-controlled inputs, resulting in reflected Cross-Site Scripting (XSS) vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS SAP Businessobjects Business Intelligence Platform
NVD
CVSS 3.1
6.1
EPSS
0.7%
CVE-2020-6214 MEDIUM This Month

SAP S/4HANA (Financial Products Subledger), version 100, uses an incorrect authorization object in some reports. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Authentication Bypass S 4Hana
NVD
CVSS 3.1
4.7
EPSS
0.6%
CVE-2020-6210 MEDIUM This Month

SAP Fiori Launchpad, versions- 753, 754, does not sufficiently encode user-controlled inputs, and hence allowing the attacker to inject the meta tag into the launchpad html using the vulnerable. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS SAP Fiori Launchpad
NVD
CVSS 3.1
6.1
EPSS
0.7%
CVE-2020-6209 HIGH This Week

SAP Disclosure Management, version 10.1, does not perform necessary authorization checks for an authenticated user, allowing access to administration accounts by a user with no roles, leading to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

SAP Authentication Bypass Disclosure Management
NVD
CVSS 3.1
7.5
EPSS
0.8%
CVE-2020-6208 HIGH This Week

SAP Business Objects Business Intelligence Platform (Crystal Reports), versions- 4.1, 4.2, allows an attacker with basic authorization to inject code that can be executed by the application and thus. Rated high severity (CVSS 8.2), this vulnerability is low attack complexity. No vendor patch available.

SAP Use After Free Memory Corruption RCE Crystal Reports
NVD
CVSS 3.1
8.2
EPSS
1.1%
CVE-2020-6207 CRITICAL POC KEV THREAT Emergency

SAP Solution Manager (User Experience Monitoring), version- 7.2, due to Missing Authentication Check does not perform any authentication for a service resulting in complete compromise of all. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SAP Authentication Bypass Solution Manager
NVD
CVSS 3.1
9.8
EPSS
98.4%
CVE-2020-6206 MEDIUM This Month

SAP Cloud Platform Integration for Data Services, version 1.0, allows user inputs to be reflected as error or warning massages. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF SAP Cloud Platform Integration
NVD
CVSS 3.1
4.3
EPSS
0.4%
CVE-2020-6205 MEDIUM This Month

SAP NetWeaver AS ABAP Business Server Pages (Smart Forms), SAP_BASIS versions- 7.00, 7.01, 7.02, 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, 7.51, 7.52, 7.53, 7.54; does not sufficiently encode user. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS SAP Netweaver As Abap Business Server Pages
NVD
CVSS 3.1
6.1
EPSS
0.7%
CVE-2020-6204 MEDIUM This Month

The selection query in SAP Treasury and Risk Management (Transaction Management) (EA-FINSERV?versions 600, 603, 604, 605, 606, 616, 617, 618, 800 and S4CORE versions 101, 102, 103, 104) returns more. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Authentication Bypass Treasury And Risk Management Ea Finserv Treasury And Risk Management S4Core
NVD
CVSS 3.1
4.3
EPSS
0.6%
CVE-2020-6203 CRITICAL Act Now

SAP NetWeaver UDDI Server (Services Registry), versions- 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; allows an attacker to exploit insufficient validation of path information provided by users, thus. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Path Traversal Netweaver
NVD
CVSS 3.1
9.1
EPSS
1.9%
CVE-2020-6202 HIGH This Week

SAP NetWeaver Application Server Java (User Management Engine), versions- 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; does not sufficiently validate the LDAP data source configuration XML document. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java SAP Information Disclosure Netweaver Application Server Java
NVD
CVSS 3.1
7.2
EPSS
1.1%
CVE-2020-6201 MEDIUM This Month

The SAP Commerce (Testweb Extension), versions- 6.6, 6.7, 1808, 1811, 1905, does not sufficiently encode user-controlled inputs, due to which certain GET URL parameters are reflected in the HTTP. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS SAP Commerce Cloud
NVD
CVSS 3.1
6.1
EPSS
0.8%
CVE-2020-6200 MEDIUM This Month

The SAP Commerce (SmartEdit Extension), versions- 6.6, 6.7, 1808, 1811, is vulnerable to client-side angularjs template injection, a variant of Cross-Site-Scripting (XSS) that exploits the templating. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS SAP Commerce Cloud
NVD
CVSS 3.1
5.4
EPSS
0.5%
CVE-2020-6199 MEDIUM This Month

The view FIMENAV_COMPCERT in SAP ERP (MENA Certificate Management), EAPPGLO version 607, SAP_FIN versions- 618, 730 and SAP S/4HANA (MENA Certificate Management), S4CORE versions- 100, 101, 102, 103,. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Authentication Bypass Erp
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2020-6198 CRITICAL Act Now

SAP Solution Manager (Diagnostics Agent), version 720, allows unencrypted connections from unauthenticated sources. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Authentication Bypass Solution Manager
NVD
CVSS 3.1
9.8
EPSS
1.4%
CVE-2020-6197 LOW Monitor

SAP Enable Now, before version 1908, does not invalidate session tokens in a timely manner. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.

SAP Information Disclosure Enable Now
NVD
CVSS 3.1
3.3
EPSS
0.6%
CVE-2020-6196 HIGH This Week

SAP BusinessObjects Mobile (MobileBIService), version 4.2, allows an attacker to generate multiple requests, using which he can block all the threads resulting in a Denial of Service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service SAP Businessobjects Mobile
NVD
CVSS 3.1
7.5
EPSS
1.4%
CVE-2020-6178 MEDIUM This Month

SAP Enable Now, before version 1911, sends the Session ID cookie value in URL. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Information Disclosure Enable Now
NVD
CVSS 3.1
5.4
EPSS
0.7%
CVE-2020-6193 MEDIUM This Month

SAP NetWeaver (Knowledge Management ICE Service), versions 7.30, 7.31, 7.40, 7.50, allows an unauthenticated attacker to execute malicious scripts leading to Reflected Cross-Site Scripting (XSS). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS SAP Netweaver Knowledge Management
NVD
CVSS 3.1
6.1
EPSS
0.7%
CVE-2020-6192 HIGH This Week

SAP Landscape Management, version 3.0, allows an attacker with admin privileges to execute malicious commands with root privileges in SAP Host Agent via SAP Landscape Management. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Information Disclosure Landscape Management
NVD
CVSS 3.1
7.2
EPSS
1.7%
CVE-2020-6191 HIGH This Week

SAP Landscape Management, version 3.0, allows an attacker with admin privileges to execute malicious executables with root privileges in SAP Host Agent via SAP Landscape Management due to Missing. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Information Disclosure Landscape Management
NVD
CVSS 3.1
7.2
EPSS
1.6%
CVE-2020-6190 MEDIUM This Month

Certain vulnerable endpoints in SAP NetWeaver AS Java (Heap Dump Application), versions 7.30, 7.31, 7.40, 7.50, provide valuable information about the system like hostname, server node and. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java SAP Information Disclosure Netweaver Application Server Java
NVD
CVSS 3.1
5.8
EPSS
0.9%
CVE-2020-6189 MEDIUM This Month

Certain settings page(s) in SAP Business Objects Business Intelligence Platform (CMC), version 4.2, generates error messages that can give enterprise private-network related information which would. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Information Disclosure Businessobjects Business Intelligence Platform
NVD
CVSS 3.1
5.3
EPSS
0.9%
CVE-2020-6188 HIGH This Week

VAT Pro-Rata reports in SAP ERP (SAP_APPL versions 600, 602, 603, 604, 605, 606, 616 and SAP_FIN versions 617, 618, 700, 720, 730) and SAP S/4 HANA (versions 100, 101, 102, 103, 104) do not perform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Authentication Bypass Erp S 4 Hana
NVD
CVSS 3.1
8.8
EPSS
0.7%
CVE-2020-6187 MEDIUM This Month

SAP NetWeaver (Guided Procedures), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently validate an XML document input from a compromised admin, leading to Denial of Service. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service SAP XXE Netweaver Guided Procedures
NVD
CVSS 3.1
4.9
EPSS
0.9%
CVE-2020-6186 HIGH This Week

SAP Host Agent, version 7.21, allows an attacker to cause a slowdown in processing of username/password-based authentication requests of the SAP Host Agent, leading to Denial of Service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service SAP Authentication Bypass Host Agent
NVD
CVSS 3.1
7.5
EPSS
1.2%
CVE-2020-6185 MEDIUM This Month

Under certain conditions ABAP Online Community in SAP NetWeaver (SAP_BASIS version 7.40) and SAP S/4HANA (SAP_BASIS versions 7.50, 7.51, 7.52, 7.53, 7.54), allows an authenticated attacker to store a. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS SAP Netweaver S 4Hana
NVD
CVSS 3.1
5.4
EPSS
0.5%
CVE-2020-6184 MEDIUM This Month

Under certain conditions, ABAP Online Community in SAP NetWeaver (SAP_BASIS version 7.40) and SAP S/4HANA (SAP_BASIS versions 7.50, 7.51, 7.52, 7.53, 7.54), does not sufficiently encode. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS SAP Netweaver S 4Hana
NVD
CVSS 3.1
6.1
EPSS
1.0%
CVE-2020-6183 MEDIUM This Month

SAP Host Agent, version 7.21, allows an unprivileged user to read the shared memory or write to the shared memory by sending request to the main SAPOSCOL process and receive responses that may. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Authentication Bypass Host Agent
NVD
CVSS 3.1
6.5
EPSS
0.7%
CVE-2020-6181 MEDIUM This Month

Under some circumstances the SAML SSO implementation in the SAP NetWeaver (SAP_BASIS versions 702, 730, 731, 740 and SAP ABAP Platform (SAP_BASIS versions 750, 751, 752, 753, 754), allows an attacker. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Information Disclosure Abap Platform Netweaver
NVD
CVSS 3.1
5.8
EPSS
0.8%
CVE-2020-6177 MEDIUM This Month

SAP Mobile Platform, version 3.0, does not sufficiently validate an XML document accepted from an untrusted source which could lead to partial denial of service. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service SAP Mobile Platform
NVD
CVSS 3.1
4.3
EPSS
0.8%
CVE-2020-6307 MEDIUM This Month

Automated Note Search Tool (update provided in SAP Basis 7.0, 7.01, 7.02, 7.31, 7.4, 7.5, 7.51, 7.52, 7.53 and 7.54) does not perform sufficient authorization checks leading to the reading of. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Authentication Bypass Basis
NVD
CVSS 3.1
4.3
EPSS
0.7%
CVE-2020-6306 LOW Monitor

Missing authorization check in a transaction within SAP Leasing (update provided in SAP_APPL 6.18, EA-APPL 6.0, 6.02, 6.03, 6.04, 6.05, 6.06, 6.16 and 6.17). Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Authentication Bypass Leasing
NVD
CVSS 3.1
2.7
EPSS
0.6%
CVE-2020-6305 MEDIUM This Month

PI Rest Adapter of SAP Process Integration (update provided in SAP_XIAF 7.31, 7.40, 7.50) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS SAP Process Integration
NVD
CVSS 3.1
6.1
EPSS
0.7%
CVE-2020-6304 HIGH This Week

Improper input validation in SAP NetWeaver Internet Communication Manager (update provided in KRNL32NUC & KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT KRNL64NUC & KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service SAP Netweaver Internet Communication Manager Kernel Netweaver Internet Communication Manager Krnl32Nuc Netweaver Internet Communication Manager Krnl32Uc +2
NVD
CVSS 3.1
7.5
EPSS
1.3%
CVE-2020-6303 MEDIUM This Month

SAP Disclosure Management, before version 10.1, does not validate user input properly in specific use cases leading to Cross-Site Scripting. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS SAP Disclosure Management
NVD
CVSS 3.1
5.4
EPSS
0.5%
CVE-2019-0384 HIGH This Week

Transaction Management in SAP Treasury and Risk Management (corrected in S4CORE versions 1.01, 1.02, 1.03, 1.04 and EA-FINSERV versions 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0) does not. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass SAP Enterprise Extension Financial Services Treasury And Risk Management S4Core
NVD
CVSS 3.1
8.8
EPSS
0.9%
CVE-2019-0383 HIGH This Week

Transaction Management in SAP Treasury and Risk Management (corrected in S4CORE versions 1.01, 1.02, 1.03, 1.04 and EA-FINSERV versions 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0) does not. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass SAP Enterprise Extension Financial Services Treasury And Risk Management S4Core
NVD
CVSS 3.1
8.8
EPSS
1.1%
CVE-2019-0405 HIGH This Week

SAP Enable Now, before version 1911, leaks information about the existence of a particular user which can be used to construct a list of users, leading to a user enumeration vulnerability and. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure SAP Enable Now
NVD
CVSS 3.1
7.5
EPSS
1.1%
CVE-2019-0404 HIGH This Week

SAP Enable Now, before version 1911, leaks information about network configuration in the server error messages, leading to Information Disclosure. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure SAP Enable Now
NVD
CVSS 3.1
7.5
EPSS
1.1%
CVE-2019-0403 CRITICAL Act Now

SAP Enable Now, before version 1911, allows an attacker to input commands into the CSV files, which will be executed when opened, leading to CSV Command Injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Command Injection Enable Now
NVD
CVSS 3.1
9.8
EPSS
2.1%
CVE-2019-0402 MEDIUM PATCH This Month

SAP Adaptive Server Enterprise, before versions 15.7 and 16.0, under certain conditions exposes some sensitive information to the admin, leading to Information Disclosure. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity.

Information Disclosure SAP Adaptive Server Enterprise
NVD
CVSS 3.1
4.4
EPSS
0.4%
CVE-2019-0399 MEDIUM This Month

SAP Portfolio and Project Management, before versions S4CORE 102, 103, EPPM 100 and CPRXRPM 500_702, 600_740, 610_740; unintentionally allows a user to discover accounting information of the Projects. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure SAP Portfolio And Project Management
NVD
CVSS 3.1
6.5
EPSS
0.9%
CVE-2019-0398 HIGH This Week

Due to insufficient CSRF protection, SAP BusinessObjects Business Intelligence Platform (Monitoring Application), before versions 4.1, 4.2 and 4.3, may lead to an authenticated user to send. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP CSRF Businessobjects Business Intelligence Platform
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2019-0395 MEDIUM This Month

SAP BusinessObjects Business Intelligence Platform (Fiori BI Launchpad), before version 4.2, allows execution of JavaScript in a text module in Fiori BI Launchpad, leading to Stored Cross Site. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS SAP Businessobjects Business Intelligence Platform
NVD
CVSS 3.1
5.4
EPSS
0.7%
CVE-2019-0396 HIGH This Week

SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), corrected in versions 4.1 and 4.2, does not sufficiently validate an XML document accepted from an untrusted. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure SAP Businessobjects Business Intelligence Platform
NVD
CVSS 3.1
7.1
EPSS
0.9%
CVE-2019-0388 MEDIUM This Month

SAP UI5 HTTP Handler (corrected in SAP_UI versions 7.5, 7.51, 7.52, 7.53, 7.54 and SAP UI_700 version 2.0) allows an attacker to manipulate content due to insufficient URL validation. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass SAP Ui
NVD
CVSS 3.1
5.3
EPSS
0.7%
CVE-2019-0386 MEDIUM This Month

Order processing in SAP ERP Sales (corrected in SAP_APPL 6.0, 6.02, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18) and S4HANA Sales (corrected in S4CORE 1.0, 1.01, 1.02, 1.03, 1.04) does not execute the. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass SAP Erp Sales S4Hana Sales
NVD
CVSS 3.1
6.3
EPSS
0.7%
CVE-2019-0393 MEDIUM This Month

An SQL Injection vulnerability in SAP Quality Management (corrected in S4CORE versions 1.0, 1.01, 1.02, 1.03) allows an attacker to carry out targeted database queries that can read individual fields. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi SAP Quality Management
NVD
CVSS 3.1
4.3
EPSS
0.7%
CVE-2019-0391 MEDIUM This Month

Under certain conditions SAP NetWeaver AS Java (corrected in 7.10, 7.20, 7.30, 7.31, 7.40, 7.50) allows an attacker to access information which would otherwise be restricted. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Information Disclosure SAP Netweaver Application Server Java
NVD
CVSS 3.1
4.3
EPSS
0.9%
CVE-2019-0390 MEDIUM This Month

Under certain conditions SAP Data Hub (corrected in DH_Foundation version 2) allows an attacker to access information which would otherwise be restricted. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure SAP Diagnostics Agent
NVD
CVSS 3.1
4.3
EPSS
0.7%
CVE-2019-0389 HIGH This Week

An administrator of SAP NetWeaver Application Server Java (J2EE-Framework), (corrected in versions 7.1, 7.2, 7.3, 7.31, 7.4, 7.5), may change privileges for all or some functions in Java Server, and. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Information Disclosure SAP Netweaver Application Server Java
NVD
CVSS 3.1
8.8
EPSS
1.3%
CVE-2019-0385 MEDIUM This Month

SAP Enable Now, before version 1908, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS SAP Enable Now
NVD
CVSS 3.1
6.5
EPSS
0.5%
CVE-2019-0382 MEDIUM This Month

A Cross-Site Scripting vulnerability exists in SAP BusinessObjects Business Intelligence Platform (Web Intelligence-Publication related pages); corrected in version 4.2. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS SAP Businessobjects Business Intelligence Platform
NVD
CVSS 3.1
5.4
EPSS
0.5%
CVE-2019-0350 HIGH This Week

SAP HANA Database, versions 1.0, 2.0, allows an unauthorized attacker to send a malformed connection request, which crashes the indexserver of an SAP HANA instance, leading to Denial of Service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service SAP Hana Database
NVD
CVSS 3.1
7.5
EPSS
1.1%
CVE-2019-0381 MEDIUM This Month

A binary planting in SAP SQL Anywhere, before version 17.0, SAP IQ, before version 16.1, and SAP Dynamic Tier, before versions 1.0 and 2.0, can result in the inadvertent access of files located in. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Path Traversal Information Disclosure SAP Dynamic Tier Sap Iq +1
NVD
CVSS 3.1
5.5
EPSS
0.3%
CVE-2019-0380 MEDIUM This Month

Under certain conditions, SAP Landscape Management enterprise edition, before version 3.0, allows custom secure parameters’ default values to be part of the application logs leading to Information. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure SAP Landscape Management
NVD
CVSS 3.1
4.9
EPSS
0.9%
CVE-2019-0379 MEDIUM This Month

SAP Process Integration, business-to-business add-on, versions 1.0, 2.0, does not perform authentication check properly when the default security provider is changed to BouncyCastle (BC), leading to. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass SAP Process Integration
NVD
CVSS 3.1
5.3
EPSS
0.8%
CVE-2019-0378 MEDIUM This Month

SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), before version 4.2, does not sufficiently encode user-controlled inputs and allows an attacker to store malicious. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS SAP Businessobjects Business Intelligence Platform
NVD
CVSS 3.1
5.4
EPSS
0.5%
CVE-2019-0377 MEDIUM This Month

SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), before versions 4.2, does not sufficiently encode user-controlled inputs and allows an attacker to store. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS SAP Businessobjects Business Intelligence Platform
NVD
CVSS 3.1
5.4
EPSS
0.5%
CVE-2019-0376 MEDIUM This Month

SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), before versions 4.2 and 4.3, does not sufficiently encode user-controlled inputs and allows an attacker to save. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS SAP Businessobjects Business Intelligence Platform
NVD
CVSS 3.1
5.4
EPSS
0.5%
CVE-2019-0375 MEDIUM This Month

SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), before versions 4.2 and 4.3, does not sufficiently encode user-controlled inputs and allows execution of scripts. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS SAP Businessobjects Business Intelligence Platform
NVD
CVSS 3.1
5.4
EPSS
0.7%
CVE-2019-0374 MEDIUM This Month

SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), before versions 4.2 and 4.3, does not sufficiently encode user-controlled inputs and allows execution of scripts. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS SAP Businessobjects Business Intelligence Platform
NVD
CVSS 3.1
5.4
EPSS
0.7%
CVE-2019-0370 MEDIUM This Month

Due to missing input validation, SAP Financial Consolidation, before versions 10.0 and 10.1, enables an attacker to use crafted input to interfere with the structure of the surrounding query leading. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection SAP Financial Consolidation
NVD
CVSS 3.1
6.5
EPSS
0.7%
CVE-2019-0369 MEDIUM This Month

SAP Financial Consolidation, before versions 10.0 and 10.1, does not sufficiently encode user-controlled inputs, which allows an attacker to execute scripts by uploading files containing malicious. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS SAP Financial Consolidation
NVD
CVSS 3.1
5.4
EPSS
0.5%
CVE-2019-0368 MEDIUM This Month

SAP Customer Relationship Management (Email Management), versions: S4CRM before 1.0 and 2.0, BBPCRM before 7.0, 7.01, 7.02, 7.12, 7.13 and 7.14, does not sufficiently encode user-controlled inputs. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS SAP Customer Relationship Management Bbpcrm Customer Relationship Management S4Crm
NVD
CVSS 3.1
5.4
EPSS
0.5%
CVE-2019-0367 MEDIUM This Month

SAP NetWeaver Process Integration (B2B Toolkit), before versions 1.0 and 2.0, does not perform necessary authorization checks for an authenticated user, allowing the import of B2B table content that. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass SAP Netweaver Process Integration
NVD
CVSS 3.1
4.3
EPSS
0.5%
CVE-2019-0365 HIGH This Week

SAP Kernel (RFC), KRNL32NUC, KRNL32UC and KRNL64NUC before versions 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64UC, before versions 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.73 and KERNEL before versions 7.21,. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Denial Of Service Microsoft SAP Sap Kernel +4
NVD
CVSS 3.1
7.5
EPSS
1.4%
CVE-2019-0364 MEDIUM This Month

Attackers may misuse an HTTP/REST endpoint of SAP HANA Extended Application Services (Advanced model), before version 1.0.118, to enumerate open ports. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure SAP Hana Extended Application Services
NVD
CVSS 3.1
4.3
EPSS
0.7%
CVE-2019-0363 HIGH This Week

Attackers may misuse an HTTP/REST endpoint of SAP HANA Extended Application Services (Advanced model), before version 1.0.118, to overload the server or retrieve information about internal network. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure SAP Hana Extended Application Services
NVD
CVSS 3.1
7.1
EPSS
0.9%
CVE-2019-0361 MEDIUM This Month

SAP Supplier Relationship Management (Master Data Management Catalog - SRM_MDM_CAT, before versions 3.73, 7.31, 7.32) does not sufficiently encode user-controlled inputs, resulting in Cross-Site. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS SAP Supplier Relationship Management
NVD
CVSS 3.1
6.1
EPSS
0.6%
CVE-2019-0357 MEDIUM This Month

The administrator of SAP HANA database, before versions 1.0 and 2.0, can misuse HANA to execute commands with operating system "root" privileges. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure SAP Hana
NVD
CVSS 3.1
6.7
EPSS
0.4%
CVE-2019-0356 MEDIUM This Month

Under certain conditions SAP NetWeaver Process Integration Runtime Workbench - MESSAGING and SAP_XIAF (before versions 7.31, 7.40, 7.50) allows an attacker to access information which would otherwise. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure SAP Netweaver Process Integration
NVD
CVSS 3.1
4.3
EPSS
0.7%
CVE-2019-0355 HIGH This Week

SAP NetWeaver Application Server Java Web Container, ENGINEAPI (before versions 7.10, 7.20, 7.30, 7.31, 7.40, 7.50) and SAP-JEECOR (before versions 6.40, 7.0, 7.01), allows an attacker to inject code. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection Java RCE SAP Netweaver Application Server Java
NVD
CVSS 3.1
7.2
EPSS
1.6%
CVE-2019-0353 LOW Monitor

Under certain conditions SAP Business One client (B1_ON_HANA, SAP-M-BO), before versions 9.2 and 9.3, allows an attacker to access information which would otherwise be restricted. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure SAP Business One Client
NVD
CVSS 3.1
3.3
EPSS
0.3%
CVE-2019-0352 HIGH This Week

In SAP Business Objects Business Intelligence Platform, before versions 4.1, 4.2 and 4.3, some dynamic pages (like jsp) are cached, which leads to an attacker can see the sensitive information via. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure SAP Businessobjects Business Intelligence Platform
NVD
CVSS 3.1
7.5
EPSS
1.1%
CVE-2019-0349 HIGH This Week

SAP Kernel (ABAP Debugger), versions KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, KRNL64UC 7.21, 7.21EXT, 7.22,. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass SAP Advanced Business Application Programming Platform Kernel
NVD
CVSS 3.0
7.2
EPSS
1.2%
CVE-2019-0351 HIGH This Week

A remote code execution vulnerability exists in the SAP NetWeaver UDDI Server (Services Registry), versions 7.10, 7.20, 7.30, 7.31, 7.40, 7.50. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE SAP Netweaver
NVD
CVSS 3.0
8.8
EPSS
2.5%
CVE-2019-0348 MEDIUM This Month

SAP BusinessObjects Business Intelligence Platform (Web Intelligence), versions 4.1, 4.2, can access database with unencrypted connection, even if the quality of protection should be encrypted. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure SAP Businessobjects Business Intelligence
NVD
CVSS 3.0
6.5
EPSS
0.7%
CVE-2019-0346 MEDIUM This Month

Unencrypted communication error in SAP Business Objects Business Intelligence Platform (Central Management Console), version 4.2, leads to disclosure of list of user names and roles imported from SAP. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure SAP Businessobjects Business Intelligence
NVD
CVSS 3.0
6.5
EPSS
0.7%
CVE-2019-0345 CRITICAL Act Now

A remote unauthenticated attacker can abuse a web service in SAP NetWeaver Application Server for Java (Administrator System Overview), versions 7.30, 7.31, 7.40, 7.50, by sending a specially crafted. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java SSRF SAP Netweaver Application Server Java
NVD
CVSS 3.0
9.8
EPSS
2.3%
CVE-2019-0344 CRITICAL KEV THREAT Act Now

Due to unsafe deserialization used in SAP Commerce Cloud (virtualjdbc extension), versions 6.4, 6.5, 6.6, 6.7, 1808, 1811, 1905, it is possible to execute arbitrary code on a target machine with. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE SAP Deserialization Commerce Cloud
NVD
CVSS 3.1
9.8
EPSS
7.1%
CVE-2019-0343 HIGH This Week

SAP Commerce Cloud (Mediaconversion Extension), versions 6.4, 6.5, 6.6, 6.7, 1808, 1811, 1905, allows an authenticated Backoffice/HMC user to inject code that can be executed by the application,. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection RCE SAP Commerce Cloud
NVD
CVSS 3.0
8.8
EPSS
1.5%
CVE-2019-0341 HIGH This Week

The session cookie used by SAP Enable Now, version 1902, does not have the HttpOnly flag set. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure SAP Enable Now
NVD
CVSS 3.0
8.8
EPSS
1.1%
CVE-2019-0340 MEDIUM This Month

The XML parser, which is being used by SAP Enable Now, before version 1902, has not been hardened correctly, leading to Missing XML Validation vulnerability. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE File Upload SAP Enable Now
NVD
CVSS 3.0
5.4
EPSS
0.7%
CVE-2019-0338 MEDIUM This Month

During an OData V2/V4 request in SAP Gateway, versions 750, 751, 752, 753, the HTTP Header attributes cache-control and pragma were not properly set, allowing an attacker to access restricted. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure SAP Gateway
NVD
CVSS 3.0
5.3
EPSS
1.1%
CVE-2019-0337 MEDIUM This Month

Java Proxy Runtime of SAP NetWeaver Process Integration, versions 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs and allows an attacker to execute malicious. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Java SAP Netweaver Process Integration
NVD
CVSS 3.0
6.1
EPSS
0.8%
CVE-2019-0335 MEDIUM This Month

Under certain conditions SAP BusinessObjects Business Intelligence Platform (Central Management Console), versions 4.1, 4.2, 4.3, allows an attacker to store a malicious payload within the. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS SAP Businessobjects Business Intelligence
NVD
CVSS 3.0
6.1
EPSS
0.8%
CVE-2019-0334 MEDIUM This Month

When creating a module in SAP BusinessObjects Business Intelligence Platform (BI Workspace), versions 4.1, 4.2, 4.3, it is possible to store a malicious script which when executed later could. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS SAP Businessobjects Business Intelligence
NVD
CVSS 3.0
5.4
EPSS
0.7%
CVE-2019-0333 MEDIUM This Month

In some situations, when a client cancels a query in SAP BusinessObjects Business Intelligence Platform (Web Intelligence), versions 4.2, 4.3, the attacker can then query and receive the whole data. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure SAP Businessobjects Business Intelligence
NVD
CVSS 3.0
6.5
EPSS
1.1%
EPSS 1% CVSS 6.1
MEDIUM This Month

SAP Business Objects Business Intelligence Platform (BI Launchpad), version 4.2, does not sufficiently encode user-controlled inputs, resulting in reflected Cross-Site Scripting (XSS) vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS SAP Businessobjects Business Intelligence Platform
NVD
EPSS 1% CVSS 4.7
MEDIUM This Month

SAP S/4HANA (Financial Products Subledger), version 100, uses an incorrect authorization object in some reports. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Authentication Bypass S 4Hana
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

SAP Fiori Launchpad, versions- 753, 754, does not sufficiently encode user-controlled inputs, and hence allowing the attacker to inject the meta tag into the launchpad html using the vulnerable. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS SAP Fiori Launchpad
NVD
EPSS 1% CVSS 7.5
HIGH This Week

SAP Disclosure Management, version 10.1, does not perform necessary authorization checks for an authenticated user, allowing access to administration accounts by a user with no roles, leading to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

SAP Authentication Bypass Disclosure Management
NVD
EPSS 1% CVSS 8.2
HIGH This Week

SAP Business Objects Business Intelligence Platform (Crystal Reports), versions- 4.1, 4.2, allows an attacker with basic authorization to inject code that can be executed by the application and thus. Rated high severity (CVSS 8.2), this vulnerability is low attack complexity. No vendor patch available.

SAP Use After Free Memory Corruption +2
NVD
EPSS 98% CVSS 9.8
CRITICAL POC KEV THREAT Emergency

SAP Solution Manager (User Experience Monitoring), version- 7.2, due to Missing Authentication Check does not perform any authentication for a service resulting in complete compromise of all. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SAP Authentication Bypass Solution Manager
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

SAP Cloud Platform Integration for Data Services, version 1.0, allows user inputs to be reflected as error or warning massages. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF SAP Cloud Platform Integration
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

SAP NetWeaver AS ABAP Business Server Pages (Smart Forms), SAP_BASIS versions- 7.00, 7.01, 7.02, 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, 7.51, 7.52, 7.53, 7.54; does not sufficiently encode user. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS SAP Netweaver As Abap Business Server Pages
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

The selection query in SAP Treasury and Risk Management (Transaction Management) (EA-FINSERV?versions 600, 603, 604, 605, 606, 616, 617, 618, 800 and S4CORE versions 101, 102, 103, 104) returns more. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Authentication Bypass Treasury And Risk Management Ea Finserv +1
NVD
EPSS 2% CVSS 9.1
CRITICAL Act Now

SAP NetWeaver UDDI Server (Services Registry), versions- 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; allows an attacker to exploit insufficient validation of path information provided by users, thus. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Path Traversal Netweaver
NVD
EPSS 1% CVSS 7.2
HIGH This Week

SAP NetWeaver Application Server Java (User Management Engine), versions- 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; does not sufficiently validate the LDAP data source configuration XML document. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java SAP Information Disclosure +1
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

The SAP Commerce (Testweb Extension), versions- 6.6, 6.7, 1808, 1811, 1905, does not sufficiently encode user-controlled inputs, due to which certain GET URL parameters are reflected in the HTTP. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS SAP Commerce Cloud
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

The SAP Commerce (SmartEdit Extension), versions- 6.6, 6.7, 1808, 1811, is vulnerable to client-side angularjs template injection, a variant of Cross-Site-Scripting (XSS) that exploits the templating. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS SAP Commerce Cloud
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

The view FIMENAV_COMPCERT in SAP ERP (MENA Certificate Management), EAPPGLO version 607, SAP_FIN versions- 618, 730 and SAP S/4HANA (MENA Certificate Management), S4CORE versions- 100, 101, 102, 103,. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Authentication Bypass Erp
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

SAP Solution Manager (Diagnostics Agent), version 720, allows unencrypted connections from unauthenticated sources. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Authentication Bypass Solution Manager
NVD
EPSS 1% CVSS 3.3
LOW Monitor

SAP Enable Now, before version 1908, does not invalidate session tokens in a timely manner. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.

SAP Information Disclosure Enable Now
NVD
EPSS 1% CVSS 7.5
HIGH This Week

SAP BusinessObjects Mobile (MobileBIService), version 4.2, allows an attacker to generate multiple requests, using which he can block all the threads resulting in a Denial of Service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service SAP Businessobjects Mobile
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

SAP Enable Now, before version 1911, sends the Session ID cookie value in URL. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Information Disclosure Enable Now
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

SAP NetWeaver (Knowledge Management ICE Service), versions 7.30, 7.31, 7.40, 7.50, allows an unauthenticated attacker to execute malicious scripts leading to Reflected Cross-Site Scripting (XSS). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS SAP Netweaver Knowledge Management
NVD
EPSS 2% CVSS 7.2
HIGH This Week

SAP Landscape Management, version 3.0, allows an attacker with admin privileges to execute malicious commands with root privileges in SAP Host Agent via SAP Landscape Management. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Information Disclosure Landscape Management
NVD
EPSS 2% CVSS 7.2
HIGH This Week

SAP Landscape Management, version 3.0, allows an attacker with admin privileges to execute malicious executables with root privileges in SAP Host Agent via SAP Landscape Management due to Missing. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Information Disclosure Landscape Management
NVD
EPSS 1% CVSS 5.8
MEDIUM This Month

Certain vulnerable endpoints in SAP NetWeaver AS Java (Heap Dump Application), versions 7.30, 7.31, 7.40, 7.50, provide valuable information about the system like hostname, server node and. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java SAP Information Disclosure +1
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

Certain settings page(s) in SAP Business Objects Business Intelligence Platform (CMC), version 4.2, generates error messages that can give enterprise private-network related information which would. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Information Disclosure Businessobjects Business Intelligence Platform
NVD
EPSS 1% CVSS 8.8
HIGH This Week

VAT Pro-Rata reports in SAP ERP (SAP_APPL versions 600, 602, 603, 604, 605, 606, 616 and SAP_FIN versions 617, 618, 700, 720, 730) and SAP S/4 HANA (versions 100, 101, 102, 103, 104) do not perform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Authentication Bypass Erp +1
NVD
EPSS 1% CVSS 4.9
MEDIUM This Month

SAP NetWeaver (Guided Procedures), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently validate an XML document input from a compromised admin, leading to Denial of Service. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service SAP XXE +1
NVD
EPSS 1% CVSS 7.5
HIGH This Week

SAP Host Agent, version 7.21, allows an attacker to cause a slowdown in processing of username/password-based authentication requests of the SAP Host Agent, leading to Denial of Service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service SAP Authentication Bypass +1
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

Under certain conditions ABAP Online Community in SAP NetWeaver (SAP_BASIS version 7.40) and SAP S/4HANA (SAP_BASIS versions 7.50, 7.51, 7.52, 7.53, 7.54), allows an authenticated attacker to store a. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS SAP Netweaver +1
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

Under certain conditions, ABAP Online Community in SAP NetWeaver (SAP_BASIS version 7.40) and SAP S/4HANA (SAP_BASIS versions 7.50, 7.51, 7.52, 7.53, 7.54), does not sufficiently encode. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS SAP Netweaver +1
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

SAP Host Agent, version 7.21, allows an unprivileged user to read the shared memory or write to the shared memory by sending request to the main SAPOSCOL process and receive responses that may. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Authentication Bypass Host Agent
NVD
EPSS 1% CVSS 5.8
MEDIUM This Month

Under some circumstances the SAML SSO implementation in the SAP NetWeaver (SAP_BASIS versions 702, 730, 731, 740 and SAP ABAP Platform (SAP_BASIS versions 750, 751, 752, 753, 754), allows an attacker. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Information Disclosure Abap Platform +1
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

SAP Mobile Platform, version 3.0, does not sufficiently validate an XML document accepted from an untrusted source which could lead to partial denial of service. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service SAP Mobile Platform
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

Automated Note Search Tool (update provided in SAP Basis 7.0, 7.01, 7.02, 7.31, 7.4, 7.5, 7.51, 7.52, 7.53 and 7.54) does not perform sufficient authorization checks leading to the reading of. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Authentication Bypass Basis
NVD
EPSS 1% CVSS 2.7
LOW Monitor

Missing authorization check in a transaction within SAP Leasing (update provided in SAP_APPL 6.18, EA-APPL 6.0, 6.02, 6.03, 6.04, 6.05, 6.06, 6.16 and 6.17). Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Authentication Bypass Leasing
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

PI Rest Adapter of SAP Process Integration (update provided in SAP_XIAF 7.31, 7.40, 7.50) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS SAP Process Integration
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Improper input validation in SAP NetWeaver Internet Communication Manager (update provided in KRNL32NUC & KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT KRNL64NUC & KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service SAP Netweaver Internet Communication Manager Kernel +4
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

SAP Disclosure Management, before version 10.1, does not validate user input properly in specific use cases leading to Cross-Site Scripting. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS SAP Disclosure Management
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Transaction Management in SAP Treasury and Risk Management (corrected in S4CORE versions 1.01, 1.02, 1.03, 1.04 and EA-FINSERV versions 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0) does not. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass SAP Enterprise Extension Financial Services +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Transaction Management in SAP Treasury and Risk Management (corrected in S4CORE versions 1.01, 1.02, 1.03, 1.04 and EA-FINSERV versions 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0) does not. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass SAP Enterprise Extension Financial Services +1
NVD
EPSS 1% CVSS 7.5
HIGH This Week

SAP Enable Now, before version 1911, leaks information about the existence of a particular user which can be used to construct a list of users, leading to a user enumeration vulnerability and. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure SAP Enable Now
NVD
EPSS 1% CVSS 7.5
HIGH This Week

SAP Enable Now, before version 1911, leaks information about network configuration in the server error messages, leading to Information Disclosure. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure SAP Enable Now
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

SAP Enable Now, before version 1911, allows an attacker to input commands into the CSV files, which will be executed when opened, leading to CSV Command Injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Command Injection Enable Now
NVD
EPSS 0% CVSS 4.4
MEDIUM PATCH This Month

SAP Adaptive Server Enterprise, before versions 15.7 and 16.0, under certain conditions exposes some sensitive information to the admin, leading to Information Disclosure. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity.

Information Disclosure SAP Adaptive Server Enterprise
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

SAP Portfolio and Project Management, before versions S4CORE 102, 103, EPPM 100 and CPRXRPM 500_702, 600_740, 610_740; unintentionally allows a user to discover accounting information of the Projects. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure SAP Portfolio And Project Management
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Due to insufficient CSRF protection, SAP BusinessObjects Business Intelligence Platform (Monitoring Application), before versions 4.1, 4.2 and 4.3, may lead to an authenticated user to send. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP CSRF Businessobjects Business Intelligence Platform
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

SAP BusinessObjects Business Intelligence Platform (Fiori BI Launchpad), before version 4.2, allows execution of JavaScript in a text module in Fiori BI Launchpad, leading to Stored Cross Site. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS SAP Businessobjects Business Intelligence Platform
NVD
EPSS 1% CVSS 7.1
HIGH This Week

SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), corrected in versions 4.1 and 4.2, does not sufficiently validate an XML document accepted from an untrusted. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure SAP Businessobjects Business Intelligence Platform
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

SAP UI5 HTTP Handler (corrected in SAP_UI versions 7.5, 7.51, 7.52, 7.53, 7.54 and SAP UI_700 version 2.0) allows an attacker to manipulate content due to insufficient URL validation. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass SAP Ui
NVD
EPSS 1% CVSS 6.3
MEDIUM This Month

Order processing in SAP ERP Sales (corrected in SAP_APPL 6.0, 6.02, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18) and S4HANA Sales (corrected in S4CORE 1.0, 1.01, 1.02, 1.03, 1.04) does not execute the. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass SAP Erp Sales +1
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

An SQL Injection vulnerability in SAP Quality Management (corrected in S4CORE versions 1.0, 1.01, 1.02, 1.03) allows an attacker to carry out targeted database queries that can read individual fields. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi SAP Quality Management
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

Under certain conditions SAP NetWeaver AS Java (corrected in 7.10, 7.20, 7.30, 7.31, 7.40, 7.50) allows an attacker to access information which would otherwise be restricted. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Information Disclosure SAP +1
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

Under certain conditions SAP Data Hub (corrected in DH_Foundation version 2) allows an attacker to access information which would otherwise be restricted. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure SAP Diagnostics Agent
NVD
EPSS 1% CVSS 8.8
HIGH This Week

An administrator of SAP NetWeaver Application Server Java (J2EE-Framework), (corrected in versions 7.1, 7.2, 7.3, 7.31, 7.4, 7.5), may change privileges for all or some functions in Java Server, and. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Information Disclosure SAP +1
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

SAP Enable Now, before version 1908, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS SAP Enable Now
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

A Cross-Site Scripting vulnerability exists in SAP BusinessObjects Business Intelligence Platform (Web Intelligence-Publication related pages); corrected in version 4.2. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS SAP Businessobjects Business Intelligence Platform
NVD
EPSS 1% CVSS 7.5
HIGH This Week

SAP HANA Database, versions 1.0, 2.0, allows an unauthorized attacker to send a malformed connection request, which crashes the indexserver of an SAP HANA instance, leading to Denial of Service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service SAP Hana Database
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

A binary planting in SAP SQL Anywhere, before version 17.0, SAP IQ, before version 16.1, and SAP Dynamic Tier, before versions 1.0 and 2.0, can result in the inadvertent access of files located in. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Path Traversal Information Disclosure SAP +3
NVD
EPSS 1% CVSS 4.9
MEDIUM This Month

Under certain conditions, SAP Landscape Management enterprise edition, before version 3.0, allows custom secure parameters’ default values to be part of the application logs leading to Information. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure SAP Landscape Management
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

SAP Process Integration, business-to-business add-on, versions 1.0, 2.0, does not perform authentication check properly when the default security provider is changed to BouncyCastle (BC), leading to. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass SAP Process Integration
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), before version 4.2, does not sufficiently encode user-controlled inputs and allows an attacker to store malicious. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS SAP Businessobjects Business Intelligence Platform
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), before versions 4.2, does not sufficiently encode user-controlled inputs and allows an attacker to store. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS SAP Businessobjects Business Intelligence Platform
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), before versions 4.2 and 4.3, does not sufficiently encode user-controlled inputs and allows an attacker to save. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS SAP Businessobjects Business Intelligence Platform
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), before versions 4.2 and 4.3, does not sufficiently encode user-controlled inputs and allows execution of scripts. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS SAP Businessobjects Business Intelligence Platform
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), before versions 4.2 and 4.3, does not sufficiently encode user-controlled inputs and allows execution of scripts. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS SAP Businessobjects Business Intelligence Platform
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

Due to missing input validation, SAP Financial Consolidation, before versions 10.0 and 10.1, enables an attacker to use crafted input to interfere with the structure of the surrounding query leading. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection SAP Financial Consolidation
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

SAP Financial Consolidation, before versions 10.0 and 10.1, does not sufficiently encode user-controlled inputs, which allows an attacker to execute scripts by uploading files containing malicious. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS SAP Financial Consolidation
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

SAP Customer Relationship Management (Email Management), versions: S4CRM before 1.0 and 2.0, BBPCRM before 7.0, 7.01, 7.02, 7.12, 7.13 and 7.14, does not sufficiently encode user-controlled inputs. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS SAP Customer Relationship Management Bbpcrm +1
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

SAP NetWeaver Process Integration (B2B Toolkit), before versions 1.0 and 2.0, does not perform necessary authorization checks for an authenticated user, allowing the import of B2B table content that. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass SAP Netweaver Process Integration
NVD
EPSS 1% CVSS 7.5
HIGH This Week

SAP Kernel (RFC), KRNL32NUC, KRNL32UC and KRNL64NUC before versions 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64UC, before versions 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.73 and KERNEL before versions 7.21,. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Denial Of Service Microsoft +6
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

Attackers may misuse an HTTP/REST endpoint of SAP HANA Extended Application Services (Advanced model), before version 1.0.118, to enumerate open ports. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure SAP Hana Extended Application Services
NVD
EPSS 1% CVSS 7.1
HIGH This Week

Attackers may misuse an HTTP/REST endpoint of SAP HANA Extended Application Services (Advanced model), before version 1.0.118, to overload the server or retrieve information about internal network. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure SAP Hana Extended Application Services
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

SAP Supplier Relationship Management (Master Data Management Catalog - SRM_MDM_CAT, before versions 3.73, 7.31, 7.32) does not sufficiently encode user-controlled inputs, resulting in Cross-Site. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS SAP Supplier Relationship Management
NVD
EPSS 0% CVSS 6.7
MEDIUM This Month

The administrator of SAP HANA database, before versions 1.0 and 2.0, can misuse HANA to execute commands with operating system "root" privileges. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure SAP Hana
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

Under certain conditions SAP NetWeaver Process Integration Runtime Workbench - MESSAGING and SAP_XIAF (before versions 7.31, 7.40, 7.50) allows an attacker to access information which would otherwise. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure SAP Netweaver Process Integration
NVD
EPSS 2% CVSS 7.2
HIGH This Week

SAP NetWeaver Application Server Java Web Container, ENGINEAPI (before versions 7.10, 7.20, 7.30, 7.31, 7.40, 7.50) and SAP-JEECOR (before versions 6.40, 7.0, 7.01), allows an attacker to inject code. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection Java RCE +2
NVD
EPSS 0% CVSS 3.3
LOW Monitor

Under certain conditions SAP Business One client (B1_ON_HANA, SAP-M-BO), before versions 9.2 and 9.3, allows an attacker to access information which would otherwise be restricted. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure SAP Business One Client
NVD
EPSS 1% CVSS 7.5
HIGH This Week

In SAP Business Objects Business Intelligence Platform, before versions 4.1, 4.2 and 4.3, some dynamic pages (like jsp) are cached, which leads to an attacker can see the sensitive information via. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure SAP Businessobjects Business Intelligence Platform
NVD
EPSS 1% CVSS 7.2
HIGH This Week

SAP Kernel (ABAP Debugger), versions KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, KRNL64UC 7.21, 7.21EXT, 7.22,. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass SAP Advanced Business Application Programming Platform Kernel
NVD
EPSS 3% CVSS 8.8
HIGH This Week

A remote code execution vulnerability exists in the SAP NetWeaver UDDI Server (Services Registry), versions 7.10, 7.20, 7.30, 7.31, 7.40, 7.50. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE SAP Netweaver
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

SAP BusinessObjects Business Intelligence Platform (Web Intelligence), versions 4.1, 4.2, can access database with unencrypted connection, even if the quality of protection should be encrypted. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure SAP Businessobjects Business Intelligence
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

Unencrypted communication error in SAP Business Objects Business Intelligence Platform (Central Management Console), version 4.2, leads to disclosure of list of user names and roles imported from SAP. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure SAP Businessobjects Business Intelligence
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

A remote unauthenticated attacker can abuse a web service in SAP NetWeaver Application Server for Java (Administrator System Overview), versions 7.30, 7.31, 7.40, 7.50, by sending a specially crafted. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java SSRF SAP +1
NVD
EPSS 7% CVSS 9.8
CRITICAL KEV THREAT Act Now

Due to unsafe deserialization used in SAP Commerce Cloud (virtualjdbc extension), versions 6.4, 6.5, 6.6, 6.7, 1808, 1811, 1905, it is possible to execute arbitrary code on a target machine with. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE SAP Deserialization +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

SAP Commerce Cloud (Mediaconversion Extension), versions 6.4, 6.5, 6.6, 6.7, 1808, 1811, 1905, allows an authenticated Backoffice/HMC user to inject code that can be executed by the application,. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection RCE SAP +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

The session cookie used by SAP Enable Now, version 1902, does not have the HttpOnly flag set. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure SAP Enable Now
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

The XML parser, which is being used by SAP Enable Now, before version 1902, has not been hardened correctly, leading to Missing XML Validation vulnerability. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE File Upload SAP +1
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

During an OData V2/V4 request in SAP Gateway, versions 750, 751, 752, 753, the HTTP Header attributes cache-control and pragma were not properly set, allowing an attacker to access restricted. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure SAP Gateway
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

Java Proxy Runtime of SAP NetWeaver Process Integration, versions 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs and allows an attacker to execute malicious. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Java SAP +1
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

Under certain conditions SAP BusinessObjects Business Intelligence Platform (Central Management Console), versions 4.1, 4.2, 4.3, allows an attacker to store a malicious payload within the. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS SAP Businessobjects Business Intelligence
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

When creating a module in SAP BusinessObjects Business Intelligence Platform (BI Workspace), versions 4.1, 4.2, 4.3, it is possible to store a malicious script which when executed later could. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS SAP Businessobjects Business Intelligence
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

In some situations, when a client cancels a query in SAP BusinessObjects Business Intelligence Platform (Web Intelligence), versions 4.2, 4.3, the attacker can then query and receive the whole data. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure SAP Businessobjects Business Intelligence
NVD
Prev Page 13 of 19 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy