Skip to main content

SAP

1669 CVEs vendor

Monthly

CVE-2016-6149 MEDIUM This Month

SAP HANA SPS09 1.00.091.00.14186593 allows local users to obtain sensitive information by leveraging the EXPORT statement to export files, aka SAP Security Note 2252941. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

SAP Information Disclosure Hana Sps09
NVD
CVSS 3.0
5.5
EPSS
0.1%
CVE-2016-6148 HIGH This Week

SAP HANA DB 1.00.73.00.389160 allows remote attackers to cause a denial of service (process termination) or execute arbitrary code via vectors related to an IMPORT statement, aka SAP Security Note. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service RCE SAP Hana
NVD
CVSS 3.0
7.5
EPSS
3.3%
CVE-2016-6147 CRITICAL Act Now

An unspecified interface in SAP TREX 7.10 Revision 63 allows remote attackers to execute arbitrary OS commands with SIDadm privileges via unspecified vectors, aka SAP Security Note 2234226. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 10.6% and no vendor patch available.

Command Injection SAP Trex
NVD
CVSS 3.0
9.8
EPSS
10.6%
CVE-2016-6145 MEDIUM This Month

The SQL interface in SAP HANA DB 1.00.091.00.1418659308 provides different error messages for failed login attempts depending on whether the username exists and is locked when the. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Information Disclosure Hana Db
NVD
CVSS 3.0
5.3
EPSS
0.4%
CVE-2016-6144 HIGH This Week

The SQL interface in SAP HANA before Revision 102 does not limit the number of login attempts for the SYSTEM user when the password_lock_for_system_user is not supported or is configured as "False,". Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

SAP Authentication Bypass Hana
NVD
CVSS 3.0
8.1
EPSS
0.9%
CVE-2016-6140 CRITICAL Act Now

SAP TREX 7.10 Revision 63 allows remote attackers to write to arbitrary files via vectors related to RFC-Gateway, aka SAP Security Note 2203591. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Authentication Bypass Trex
NVD
CVSS 3.0
9.8
EPSS
9.8%
CVE-2016-6139 CRITICAL Act Now

SAP TREX 7.10 Revision 63 allows remote attackers to read arbitrary files via unspecified vectors, aka SAP Security Note 2203591. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure SAP Trex
NVD
CVSS 3.0
9.8
EPSS
5.0%
CVE-2016-6138 CRITICAL Act Now

Directory traversal vulnerability in SAP TREX 7.10 Revision 63 allows remote attackers to read arbitrary files via unspecified vectors, aka SAP Security Note 2203591. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 15.7% and no vendor patch available.

Path Traversal SAP Trex
NVD
CVSS 3.0
9.8
EPSS
15.7%
CVE-2016-3640 MEDIUM This Month

The Extended Application Services (aka XS or XS Engine) in SAP HANA DB 1.00.091.00.1418659308 allows local users to obtain sensitive password information via vectors related to passwords in Web. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

SAP Information Disclosure Hana Db
NVD
CVSS 3.0
5.5
EPSS
0.1%
CVE-2010-5326 CRITICAL POC KEV THREAT Emergency

Remote unauthenticated code execution in SAP NetWeaver Application Server Java (pre-7.3) through the Invoker Servlet allows attackers to bypass authentication and execute arbitrary code. Confirmed actively exploited (CISA KEV) from 2013 through 2016 in 'Detour' attacks targeting SAP business applications. CVSS 10.0 with EPSS 16.90% (95th percentile) indicates both maximum theoretical severity and sustained real-world exploitation. This remains a critical priority for organizations running legacy SAP NetWeaver Java instances despite the vulnerability's age.

Java SAP Authentication Bypass RCE
NVD VulDB
CVSS 3.1
10.0
EPSS
16.9%
Threat
6.0
CVE-2016-4018 HIGH This Week

The Data Provisioning Agent (aka DP Agent) in SAP HANA does not properly restrict access to service functionality, which allows remote attackers to obtain sensitive information, gain privileges, and. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Authentication Bypass Hana
NVD
CVSS 3.0
7.3
EPSS
0.4%
CVE-2016-4017 HIGH This Week

The Data Provisioning Agent (aka DP Agent) in SAP HANA allows remote attackers to cause a denial of service (process crash) via unspecified vectors, aka SAP Security Note 2262710. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service SAP Hana
NVD
CVSS 3.0
7.5
EPSS
0.5%
CVE-2016-4016 MEDIUM POC This Month

Cross-site scripting (XSS) vulnerability in SAP Manufacturing Integration and Intelligence (aka MII, formerly xMII) 15 allows remote attackers to inject arbitrary web script or HTML via the title. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS SAP Java As
NVD
CVSS 3.0
6.1
EPSS
0.5%
CVE-2016-4015 HIGH This Week

The Enqueue Server in SAP NetWeaver JAVA AS 7.1 through 7.4 allows remote attackers to cause a denial of service (process crash) via a crafted request, aka SAP Security Note 2258784. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service SAP Java Netweaver
NVD
CVSS 3.0
7.5
EPSS
3.0%
CVE-2016-4014 HIGH POC This Week

XML external entity (XXE) vulnerability in the UDDI component in SAP NetWeaver JAVA AS 7.4 allows remote attackers to cause a denial of service (system hang) via a crafted DTD in an XML request to. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service XXE SAP Java Netweaver
NVD
CVSS 3.0
8.6
EPSS
6.9%
CVE-2016-3980 HIGH This Week

The Java Startup Framework (aka jstart) in SAP JAVA AS 7.2 through 7.4 allows remote attackers to cause a denial of service (process crash) via a crafted HTTP request, aka SAP Security Note 2259547. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service SAP Java Application Server Java
NVD
CVSS 3.0
7.5
EPSS
3.3%
CVE-2016-3979 HIGH This Week

Internet Communication Manager (aka ICMAN or ICM) in SAP JAVA AS 7.2 through 7.4 allows remote attackers to cause a denial of service (heap memory corruption and process crash) via a crafted HTTP. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service SAP Java Buffer Overflow Java As
NVD
CVSS 3.0
7.5
EPSS
3.7%
CVE-2015-8840 HIGH This Week

The XML Data Archiving Service (XML DAS) in SAP NetWeaver AS Java does not check authorization, which allows remote authenticated users to obtain sensitive information, gain privileges, or possibly. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Java Authentication Bypass Netweaver Application Server Java
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2016-3976 HIGH POC KEV THREAT Act Now

Directory traversal vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 allows remote attackers to read arbitrary files via a ..\ (dot dot backslash) in the fileName parameter to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available.

Java Path Traversal SAP
NVD Exploit-DB VulDB
CVSS 3.1
7.5
EPSS
81.5%
Threat
6.9
CVE-2016-3975 MEDIUM POC This Month

Cross-site scripting (XSS) vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 allows remote attackers to inject arbitrary web script or HTML via the navigationTarget parameter to. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS SAP Java Netweaver Application Server Java
NVD
CVSS 3.1
6.1
EPSS
0.7%
CVE-2016-3974 CRITICAL POC THREAT Emergency

XML external entity (XXE) vulnerability in the Configuration Wizard in SAP NetWeaver Java AS 7.1 through 7.5 allows remote attackers to cause a denial of service, conduct SMB Relay attacks, or access. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 13.9%.

Denial Of Service XXE SAP Java Netweaver Application Server Java
NVD Exploit-DB
CVSS 3.1
9.1
EPSS
13.9%
CVE-2016-3973 MEDIUM This Month

The chat feature in the Real-Time Collaboration (RTC) services 7.3 and 7.4 in SAP NetWeaver Java AS 7.1 through 7.5 allows remote attackers to obtain sensitive user information by visiting. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Information Disclosure Java Netweaver Application Server Java
NVD
CVSS 3.1
5.3
EPSS
0.5%
CVE-2016-2536 HIGH This Week

Multiple use-after-free vulnerabilities in SAP 3D Visual Enterprise Viewer allow remote attackers to execute arbitrary code via a crafted SketchUp document. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE SAP 3D Visual Enterprise Viewer Sketchup
NVD
CVSS 3.0
8.8
EPSS
0.9%
CVE-2016-2389 HIGH POC THREAT Act Now

Directory traversal vulnerability in the GetFileList function in the SAP Manufacturing Integration and Intelligence (xMII) component 15.0 for SAP NetWeaver 7.4 allows remote attackers to read. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 83.7%.

Path Traversal SAP Netweaver
NVD Exploit-DB
CVSS 3.0
7.5
EPSS
83.7%
Threat
5.5
CVE-2016-2388 MEDIUM POC KEV THREAT This Month

The Universal Worklist Configuration in SAP NetWeaver AS JAVA 7.4 allows remote attackers to obtain sensitive user information via a crafted HTTP request, aka SAP Security Note 2256846. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available.

Java SAP Information Disclosure
NVD Exploit-DB VulDB
CVSS 3.1
5.3
EPSS
62.3%
Threat
5.9
CVE-2016-2387 MEDIUM This Month

Multiple cross-site scripting (XSS) vulnerabilities in the Java Proxy Runtime ProxyServer servlet in SAP NetWeaver 7.4 allow remote attackers to inject arbitrary web script or HTML via the (1) ns or. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS SAP Java Netweaver
NVD
CVSS 3.0
6.1
EPSS
0.2%
CVE-2016-2386 CRITICAL POC KEV THREAT Emergency

SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2101079. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available.

SAP SQLi
NVD GitHub Exploit-DB VulDB
CVSS 3.1
9.8
EPSS
44.0%
Threat
6.3
CVE-2016-1929 CRITICAL Act Now

The XS engine in SAP HANA allows remote attackers to spoof log entries in trace files and consequently cause a denial of service (disk consumption and process crash) via a crafted HTTP request,. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service SAP Hana
NVD
CVSS 3.0
9.3
EPSS
1.3%
CVE-2016-1928 CRITICAL Emergency

Buffer overflow in the XS engine (hdbxsengine) in SAP HANA allows remote attackers to cause a denial of service or execute arbitrary code via a crafted HTTP request, related to JSON, aka SAP Security. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 37.3% and no vendor patch available.

Denial Of Service RCE SAP Buffer Overflow Hana
NVD
CVSS 3.0
9.8
EPSS
37.3%
CVE-2016-1911 MEDIUM This Month

Multiple cross-site scripting (XSS) vulnerabilities in SAP NetWeaver 7.4 allow remote attackers to inject arbitrary web script or HTML via vectors related to the (1) Runtime Workbench (RWB) or (2). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS SAP Netweaver
NVD
CVSS 3.0
6.1
EPSS
0.3%
CVE-2016-1910 MEDIUM POC THREAT This Month

The User Management Engine (UME) in SAP NetWeaver 7.4 allows attackers to decrypt unspecified data via unknown vectors, aka SAP Security Note 2191290. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 12.6%.

SAP Information Disclosure Netweaver
NVD Exploit-DB
CVSS 3.0
5.3
EPSS
12.6%
CVE-2015-8753 CRITICAL Act Now

SAP Afaria 7.0.6001.5 allows remote attackers to bypass authorization checks and wipe or lock mobile devices via a crafted request, related to "Insecure signature," aka SAP Security Note 2134905. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation SAP Afaria
NVD
CVSS 3.0
9.1
EPSS
0.5%
CVE-2015-8600 HIGH This Week

The SysAdminWebTool servlets in SAP Mobile Platform allow remote attackers to bypass authentication and obtain sensitive information, gain privileges, or have unspecified other impact via unknown. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation SAP Mobile Platform
NVD
CVSS 2.0
7.5
EPSS
0.3%
CVE-2015-8330 HIGH This Week

The PCo agent in SAP Plant Connectivity (PCo) allows remote attackers to cause a denial of service (memory corruption and agent crash) via crafted xMII requests, aka SAP Security Note 2238619. Rated high severity (CVSS 7.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service SAP Buffer Overflow Plant Connectivity
NVD
CVSS 2.0
7.8
EPSS
3.4%
CVE-2015-8329 MEDIUM This Month

SAP Manufacturing Integration and Intelligence (aka MII, formerly xMII) uses weak encryption (Base64 and DES), which allows attackers to conduct downgrade attacks and decrypt passwords via. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure SAP Manufacturing Integration And Intelligence
NVD
CVSS 2.0
5.0
EPSS
0.2%
CVE-2015-7994 HIGH This Week

The SQL interface in SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allows remote attackers to execute arbitrary code via unspecified vectors related to "SQL Login," aka SAP Security Note 2197428. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE SAP Hana
NVD
CVSS 2.0
7.5
EPSS
2.4%
CVE-2015-7993 HIGH This Week

The Extended Application Services (aka XS or XS Engine) in SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allows remote attackers to execute arbitrary code via unspecified vectors related to "HTTP. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE SAP Hana
NVD
CVSS 2.0
7.5
EPSS
0.6%
CVE-2015-7992 MEDIUM This Month

SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allows remote authenticated users to cause a denial of service (memory corruption and indexserver crash) via unspecified vectors to the. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service SAP Buffer Overflow Hana
NVD
CVSS 2.0
4.0
EPSS
0.4%
CVE-2015-7991 MEDIUM This Month

The Web Dispatcher service in SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allows remote attackers to read web dispatcher and security trace files and possibly obtain passwords via unspecified. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Information Disclosure Hana
NVD
CVSS 2.0
5.0
EPSS
0.2%
CVE-2015-7828 CRITICAL Act Now

SAP HANA Database 1.00 SPS10 and earlier do not require authentication, which allows remote attackers to execute arbitrary code or have unspecified other impact via a TrexNet packet to the (1). Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE SAP Hana
NVD
CVSS 2.0
10.0
EPSS
3.6%
CVE-2015-8030 MEDIUM This Month

SAP 3D Visual Enterprise Viewer (VEV) allows remote attackers to execute arbitrary code via a crafted (1) U3D, (2) LWO, (3) JPEG2000, or (4) FBX file, aka "Out-Of-Bounds Indexing" vulnerabilities. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

RCE SAP Buffer Overflow 3D Visual Enterprise Viewer
NVD
CVSS 2.0
6.8
EPSS
2.9%
CVE-2015-8029 MEDIUM This Month

SAP 3D Visual Enterprise Viewer (VEV) allows remote attackers to execute arbitrary code via a crafted Filmbox document, which triggers memory corruption. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

RCE SAP Buffer Overflow 3D Visual Enterprise Viewer
NVD
CVSS 2.0
6.8
EPSS
1.7%
CVE-2015-8028 MEDIUM This Month

Multiple buffer overflows in SAP 3D Visual Enterprise Viewer (VEV) allow remote attackers to execute arbitrary code via a crafted (1) 3DM or (2) Flic Animation file. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

RCE SAP Buffer Overflow 3D Visual Enterprise Viewer
NVD
CVSS 2.0
6.8
EPSS
3.4%
CVE-2015-7986 HIGH POC THREAT Act Now

The index server (hdbindexserver) in SAP HANA 1.00.095 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via an HTTP request, aka SAP Security Note. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 27.3%.

Denial Of Service RCE SAP Buffer Overflow Hana
NVD Exploit-DB
CVSS 2.0
7.5
EPSS
27.3%
CVE-2015-7730 CRITICAL Act Now

SAP BusinessObjects BI Platform 4.1, BusinessObjects Edge 4.0, and BusinessObjects XI (BOXI) 3.1 R3 allow remote attackers to cause a denial of service (out-of-bounds read and listener crash) via a. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service SAP Buffer Overflow Businessobjects Businessobjects Edge +1
NVD
CVSS 2.0
10.0
EPSS
1.9%
CVE-2015-7729 MEDIUM This Month

Eval injection in test-net.xsjs in the Web-based Development Workbench in SAP HANA Developer Edition DB 1.00.091.00.1418659308 allows remote authenticated users to execute arbitrary XSJS code via. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE SAP Code Injection Hana
NVD
CVSS 2.0
6.5
EPSS
0.5%
CVE-2015-7728 LOW Monitor

Cross-site scripting (XSS) vulnerability in user creation in the Web-based Development Workbench in SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allows remote authenticated users to inject arbitrary. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable. No vendor patch available.

XSS SAP Hana
NVD
CVSS 2.0
3.5
EPSS
0.2%
CVE-2015-7727 MEDIUM This Month

Multiple SQL injection vulnerabilities in the Web-based Development Workbench in SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allow remote authenticated users to execute arbitrary SQL commands via. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi SAP Hana
NVD
CVSS 2.0
6.5
EPSS
0.6%
CVE-2015-7726 LOW Monitor

Cross-site scripting (XSS) vulnerability in role deletion in the Web-based Development Workbench in SAP HANA DB 1.00.091.00.1418659308 allows remote authenticated users to inject arbitrary web script. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable. No vendor patch available.

XSS SAP Hana
NVD
CVSS 2.0
3.5
EPSS
0.2%
CVE-2015-7725 MEDIUM This Month

Multiple SQL injection vulnerabilities in the Web-based Development Workbench in SAP HANA DB 1.00.091.00.1418659308 allow remote authenticated users to execute arbitrary SQL commands via the (1). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi SAP Hana
NVD
CVSS 2.0
6.5
EPSS
1.0%
CVE-2015-6507 HIGH This Week

The hdbsql client 1.00.091.00 Build 1418659308-1530 in SAP HANA allows local users to cause a denial of service (memory corruption) and possibly have unspecified other impact via unknown vectors, aka. Rated high severity (CVSS 7.2), this vulnerability is low attack complexity. No vendor patch available.

Denial Of Service SAP Buffer Overflow Hana
NVD
CVSS 2.0
7.2
EPSS
0.1%
CVE-2015-7239 HIGH This Week

SQL injection vulnerability in the BP_FIND_JOBS_WITH_PROGRAM function module in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi SAP Netweaver J2Ee Engine
NVD
CVSS 2.0
7.5
EPSS
0.4%
CVE-2015-6664 MEDIUM This Month

XML external entity (XXE) vulnerability in the application import functionality in SAP Mobile Platform 2.3 allows remote attackers to read arbitrary files and possibly have other unspecified impact. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

XXE SAP Mobile Platform
NVD
CVSS 2.0
6.8
EPSS
0.6%
CVE-2015-6663 MEDIUM This Month

Cross-site scripting (XSS) vulnerability in the Client form in the Device Inspector page in SAP Afaria 7 allows remote attackers to inject arbitrary web script or HTML via crafted client name data,. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

XSS SAP Afaria
NVD
CVSS 2.0
4.3
EPSS
0.3%
CVE-2015-6662 MEDIUM This Month

XML external entity (XXE) vulnerability in SAP NetWeaver Portal 7.4 allows remote attackers to read arbitrary files and possibly have other unspecified impact via crafted XML data, aka SAP Security. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

XXE SAP Netweaver
NVD
CVSS 2.0
6.8
EPSS
0.6%
CVE-2015-3621 CRITICAL Act Now

Untrusted search path vulnerability in SAP Enterprise Central Component (ECC) allows local users to gain privileges via a Trojan horse program. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure SAP Enterprise Central Component
NVD
CVSS 2.0
9.3
EPSS
0.4%
CVE-2015-3449 HIGH This Week

The Windows client in SAP Afaria 7.0.6398.0 uses weak permissions (Everyone: read and Everyone: write) for the install folder, which allows local users to gain privileges via a Trojan horse. Rated high severity (CVSS 7.2), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure SAP Microsoft Afaria
NVD
CVSS 2.0
7.2
EPSS
0.0%
CVE-2015-5068 HIGH This Week

XML external entity (XXE) vulnerability in SAP Mobile Platform 3 allows remote attackers to read arbitrary files or possibly have other unspecified impact via a crafted XML request, aka SAP Security. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE SAP Mobile Platform
NVD
CVSS 2.0
7.5
EPSS
1.0%
CVE-2015-5067 HIGH This Week

The (1) Cross-System Tools and (2) Data Transfer Workbench in SAP NetWeaver have hardcoded credentials, which allows remote attackers to obtain access via unspecified vectors, aka SAP Security Notes. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Authentication Bypass Netweaver
NVD
CVSS 2.0
7.5
EPSS
1.6%
CVE-2014-6284 HIGH POC This Week

SAP Adaptive Server Enterprise (ASE) before 15.7 SP132 and 16.0 before 16.0 SP01 allows remote attackers to bypass the challenge and response mechanism and obtain access to the probe account via a. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation SAP Adaptive Server Enterprise
NVD
CVSS 2.0
7.5
EPSS
0.2%
CVE-2015-4161 HIGH POC This Week

SAP Afaria does not properly restrict access to unspecified functionality, which allows remote attackers to obtain sensitive information, gain privileges, or have other unspecified impact via unknown. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation SAP Afaria
NVD
CVSS 2.0
7.5
EPSS
0.5%
CVE-2015-4160 HIGH POC This Week

SQL injection vulnerability in SAP ASE Database Platform allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Notes: 2152278. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi SAP Ase Database Platform
NVD
CVSS 2.0
7.5
EPSS
0.3%
CVE-2015-4159 HIGH POC This Week

SQL injection vulnerability in SAP HANA Web-based Development Workbench allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Notes 2153892. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi SAP Hana Web Based Development Workbench
NVD
CVSS 2.0
7.5
EPSS
0.3%
CVE-2015-4158 MEDIUM POC This Month

SAP ABAP & Java Server allows remote attackers to cause a denial of service (service termination) via unspecified vectors, aka SAP Security Note 2121661. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service SAP Java Netweaver Abap Application Server Netweaver Java Application Server
NVD
CVSS 2.0
5.0
EPSS
0.5%
CVE-2015-4157 MEDIUM POC This Month

SAP Content Server allows remote attackers to cause a denial of service (service termination) via unspecified vectors, aka SAP Security Note 2127995. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service SAP Content Server
NVD
CVSS 2.0
5.0
EPSS
0.5%
CVE-2015-2282 HIGH POC This Week

Stack-based buffer overflow in the LZC decompression implementation (CsObjectInt::CsDecomprLZC function in vpa106cslzc.cpp) in SAP MaxDB 7.5 and 7.6, Netweaver Application Server ABAP, Netweaver. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service RCE SAP Buffer Overflow Gui +5
NVD
CVSS 2.0
7.5
EPSS
0.9%
CVE-2015-2278 MEDIUM POC This Month

The LZH decompression implementation (CsObjectInt::BuildHufTree function in vpa108csulzh.cpp) in SAP MaxDB 7.5 and 7.6, Netweaver Application Server ABAP, Netweaver Application Server Java, Netweaver. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service SAP Buffer Overflow Gui Maxdb +4
NVD
CVSS 2.0
5.0
EPSS
0.7%
CVE-2015-3995 MEDIUM This Month

SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allows remote authenticated users to read arbitrary files via an IMPORT FROM SQL statement, aka SAP Security Note 2109565. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Information Disclosure Hana
NVD
CVSS 2.0
4.0
EPSS
0.3%
CVE-2015-3994 MEDIUM This Month

The grant.xsfunc application in testApps/grantAccess/ in the XS Engine in SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allows remote authenticated users to spoof log entries via a crafted request,. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure SAP Hana
NVD
CVSS 2.0
4.0
EPSS
0.3%
CVE-2015-4092 HIGH This Week

Buffer overflow in the XComms process in SAP Afaria 7.00.6620.2 SP5 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted request, aka SAP. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service RCE SAP Buffer Overflow Afaria
NVD
CVSS 2.0
7.5
EPSS
2.1%
CVE-2015-4091 HIGH This Week

XML external entity (XXE) vulnerability in SAP NetWeaver AS Java 7.4 allows remote attackers to send TCP requests to intranet servers or possibly have unspecified other impact via an XML request to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE SAP Java Sap Netweaver Application Server Java
NVD
CVSS 2.0
7.5
EPSS
1.0%
CVE-2015-3981 MEDIUM This Month

SAP NetWeaver RFC SDK allows attackers to obtain sensitive information via unspecified vectors, aka SAP Security Note 2084037. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Information Disclosure Netweaver Rfc Sdk
NVD
CVSS 2.0
5.0
EPSS
0.3%
CVE-2015-3980 HIGH This Week

SQL injection vulnerability in the Business Rules Framework (CRM-BF-BRF) in SAP CRM allows attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2097534. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi SAP Customer Relationship Management
NVD
CVSS 2.0
7.5
EPSS
0.2%
CVE-2015-3979 HIGH This Week

Unspecified vulnerability in the Business Rules Framework (CRM-BF-BRF) in SAP CRM allows attackers to execute arbitrary code via unknown vectors, aka SAP Security Note 2097534. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE SAP Customer Relationship Management
NVD
CVSS 2.0
7.5
EPSS
0.7%
CVE-2015-3978 LOW Monitor

SAP Sybase Unwired Platform Online Data Proxy allows local users to obtain usernames and passwords via the DataVault, aka SAP Security Note 2094830. Rated low severity (CVSS 2.1), this vulnerability is low attack complexity. No vendor patch available.

SAP Information Disclosure Sybase Unwired Platform Online Data Proxy
NVD
CVSS 2.0
2.1
EPSS
0.1%
CVE-2015-2820 MEDIUM This Month

Buffer overflow in XcListener in SAP Afaria 7.0.6001.5 allows remote attackers to cause a denial of service (process termination) via a crafted request, aka SAP Security Note 2132584. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service SAP Buffer Overflow Afaria
NVD
CVSS 2.0
5.0
EPSS
3.9%
CVE-2015-2819 MEDIUM This Month

SAP Sybase SQL Anywhere 11 and 16 allows remote attackers to cause a denial of service (crash) via a crafted request, aka SAP Security Note 2108161. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service SAP Sql Anywhere
NVD
CVSS 2.0
5.0
EPSS
3.3%
CVE-2015-2818 MEDIUM This Month

XML external entity (XXE) vulnerability in SAP Mobile Platform 3 allows remote attackers to send requests to intranet servers via crafted XML, aka SAP Security Note 2125513. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE SAP Mobile Platform
NVD
CVSS 2.0
5.0
EPSS
0.4%
CVE-2015-2817 MEDIUM This Month

The SAP Management Console in SAP NetWeaver 7.40 allows remote attackers to obtain sensitive information via the ReadProfile parameters, aka SAP Security Note 2091768. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Information Disclosure Netweaver
NVD
CVSS 2.0
5.0
EPSS
0.4%
CVE-2015-2816 HIGH This Week

The XcListener in SAP Afaria 7.0.6001.5 does not properly restrict access, which allows remote attackers to have unspecified impact via a crafted request, aka SAP Security Note 2134905. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Authentication Bypass Afaria
NVD
CVSS 2.0
7.5
EPSS
0.8%
CVE-2015-2815 MEDIUM This Month

Buffer overflow in the C_SAPGPARAM function in the NetWeaver Dispatcher in SAP KERNEL 7.00 (7000.52.12.34966) and 7.40 (7400.12.21.30308) allows remote authenticated users to cause a denial of. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service RCE SAP Buffer Overflow Netweaver
NVD
CVSS 2.0
6.5
EPSS
3.5%
CVE-2015-2814 MEDIUM This Month

SAP EMR Unwired (com.sap.mobile.healthcare.emr.v2) and Clinical Task Tracker (com.sap.mobile.healthcare.ctt) does not properly restrict access, which allows remote attackers to change the backendurl,. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation SAP Clinical Task Tracker Emr Unwired
NVD
CVSS 2.0
6.4
EPSS
0.5%
CVE-2015-2813 MEDIUM This Month

XML external entity (XXE) vulnerability in SAP Mobile Platform allows remote attackers to send requests to intranet servers via crafted XML, aka SAP Security Note 2125358. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE SAP Mobile Platform
NVD
CVSS 2.0
5.0
EPSS
0.5%
CVE-2015-2812 MEDIUM This Month

XML external entity (XXE) vulnerability in XMLValidationComponent in SAP NetWeaver Portal 7.31.201109172004 allows remote attackers to send requests to intranet servers via crafted XML, aka SAP. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE SAP Netweaver Enterprise Portal
NVD
CVSS 2.0
5.0
EPSS
0.6%
CVE-2015-2811 MEDIUM This Month

XML external entity (XXE) vulnerability in ReportXmlViewer in SAP NetWeaver Portal 7.31.201109172004 allows remote attackers to send requests to intranet servers via crafted XML, aka SAP Security. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE SAP Netweaver Enterprise Portal
NVD
CVSS 2.0
5.0
EPSS
0.7%
CVE-2015-2107 MEDIUM This Month

HP Operations Manager i Management Pack 1.x before 1.01 for SAP allows local users to execute OS commands by leveraging SAP administrative privileges. Rated medium severity (CVSS 6.8), this vulnerability is low attack complexity. No vendor patch available.

HP SAP Authentication Bypass Operations Manager I Management Pack
NVD
CVSS 2.0
6.8
EPSS
0.0%
CVE-2015-2076 MEDIUM This Month

The Auditing service in SAP BusinessObjects Edge 4.0 allows remote attackers to obtain sensitive information by reading an audit event, aka SAP Note 2011395. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Information Disclosure Businessobjects Edge
NVD
CVSS 2.0
5.0
EPSS
0.4%
CVE-2015-2075 MEDIUM This Month

SAP BusinessObjects Edge 4.0 allows remote attackers to delete audit events from the auditee queue via a clearData CORBA operation, aka SAP Note 2011396. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation SAP Businessobjects Edge
NVD
CVSS 2.0
5.0
EPSS
1.2%
CVE-2015-2072 MEDIUM POC This Month

Multiple cross-site scripting (XSS) vulnerabilities in SAP HANA 73 (1.00.73.00.389160) and HANA Developer Edition 80 (1.00.80.00.391861) allow remote attackers to inject arbitrary web script or HTML. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

XSS SAP Hana
NVD
CVSS 2.0
4.3
EPSS
0.3%
CVE-2015-1312 HIGH This Week

The Dealer Portal in SAP ERP does not properly restrict access, which allows remote attackers to obtain sensitive information, gain privileges, and possibly have other unspecified impact via unknown. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation SAP Enterprise Resource Planning
NVD
CVSS 2.0
7.5
EPSS
0.5%
EPSS 0% CVSS 5.5
MEDIUM This Month

SAP HANA SPS09 1.00.091.00.14186593 allows local users to obtain sensitive information by leveraging the EXPORT statement to export files, aka SAP Security Note 2252941. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

SAP Information Disclosure Hana Sps09
NVD
EPSS 3% CVSS 7.5
HIGH This Week

SAP HANA DB 1.00.73.00.389160 allows remote attackers to cause a denial of service (process termination) or execute arbitrary code via vectors related to an IMPORT statement, aka SAP Security Note. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service RCE SAP +1
NVD
EPSS 11% CVSS 9.8
CRITICAL Act Now

An unspecified interface in SAP TREX 7.10 Revision 63 allows remote attackers to execute arbitrary OS commands with SIDadm privileges via unspecified vectors, aka SAP Security Note 2234226. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 10.6% and no vendor patch available.

Command Injection SAP Trex
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

The SQL interface in SAP HANA DB 1.00.091.00.1418659308 provides different error messages for failed login attempts depending on whether the username exists and is locked when the. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Information Disclosure Hana Db
NVD
EPSS 1% CVSS 8.1
HIGH This Week

The SQL interface in SAP HANA before Revision 102 does not limit the number of login attempts for the SYSTEM user when the password_lock_for_system_user is not supported or is configured as "False,". Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

SAP Authentication Bypass Hana
NVD
EPSS 10% CVSS 9.8
CRITICAL Act Now

SAP TREX 7.10 Revision 63 allows remote attackers to write to arbitrary files via vectors related to RFC-Gateway, aka SAP Security Note 2203591. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Authentication Bypass Trex
NVD
EPSS 5% CVSS 9.8
CRITICAL Act Now

SAP TREX 7.10 Revision 63 allows remote attackers to read arbitrary files via unspecified vectors, aka SAP Security Note 2203591. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure SAP Trex
NVD
EPSS 16% CVSS 9.8
CRITICAL Act Now

Directory traversal vulnerability in SAP TREX 7.10 Revision 63 allows remote attackers to read arbitrary files via unspecified vectors, aka SAP Security Note 2203591. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 15.7% and no vendor patch available.

Path Traversal SAP Trex
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

The Extended Application Services (aka XS or XS Engine) in SAP HANA DB 1.00.091.00.1418659308 allows local users to obtain sensitive password information via vectors related to passwords in Web. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

SAP Information Disclosure Hana Db
NVD
EPSS 17% 6.0 CVSS 10.0
CRITICAL POC KEV THREAT Emergency

Remote unauthenticated code execution in SAP NetWeaver Application Server Java (pre-7.3) through the Invoker Servlet allows attackers to bypass authentication and execute arbitrary code. Confirmed actively exploited (CISA KEV) from 2013 through 2016 in 'Detour' attacks targeting SAP business applications. CVSS 10.0 with EPSS 16.90% (95th percentile) indicates both maximum theoretical severity and sustained real-world exploitation. This remains a critical priority for organizations running legacy SAP NetWeaver Java instances despite the vulnerability's age.

Java SAP Authentication Bypass +1
NVD VulDB
EPSS 0% CVSS 7.3
HIGH This Week

The Data Provisioning Agent (aka DP Agent) in SAP HANA does not properly restrict access to service functionality, which allows remote attackers to obtain sensitive information, gain privileges, and. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Authentication Bypass Hana
NVD
EPSS 0% CVSS 7.5
HIGH This Week

The Data Provisioning Agent (aka DP Agent) in SAP HANA allows remote attackers to cause a denial of service (process crash) via unspecified vectors, aka SAP Security Note 2262710. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service SAP Hana
NVD
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Cross-site scripting (XSS) vulnerability in SAP Manufacturing Integration and Intelligence (aka MII, formerly xMII) 15 allows remote attackers to inject arbitrary web script or HTML via the title. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS SAP Java As
NVD
EPSS 3% CVSS 7.5
HIGH This Week

The Enqueue Server in SAP NetWeaver JAVA AS 7.1 through 7.4 allows remote attackers to cause a denial of service (process crash) via a crafted request, aka SAP Security Note 2258784. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service SAP Java +1
NVD
EPSS 7% CVSS 8.6
HIGH POC This Week

XML external entity (XXE) vulnerability in the UDDI component in SAP NetWeaver JAVA AS 7.4 allows remote attackers to cause a denial of service (system hang) via a crafted DTD in an XML request to. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service XXE SAP +2
NVD
EPSS 3% CVSS 7.5
HIGH This Week

The Java Startup Framework (aka jstart) in SAP JAVA AS 7.2 through 7.4 allows remote attackers to cause a denial of service (process crash) via a crafted HTTP request, aka SAP Security Note 2259547. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service SAP Java +1
NVD
EPSS 4% CVSS 7.5
HIGH This Week

Internet Communication Manager (aka ICMAN or ICM) in SAP JAVA AS 7.2 through 7.4 allows remote attackers to cause a denial of service (heap memory corruption and process crash) via a crafted HTTP. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service SAP Java +2
NVD
EPSS 0% CVSS 8.8
HIGH This Week

The XML Data Archiving Service (XML DAS) in SAP NetWeaver AS Java does not check authorization, which allows remote authenticated users to obtain sensitive information, gain privileges, or possibly. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Java Authentication Bypass +1
NVD
EPSS 81% 6.9 CVSS 7.5
HIGH POC KEV THREAT Act Now

Directory traversal vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 allows remote attackers to read arbitrary files via a ..\ (dot dot backslash) in the fileName parameter to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available.

Java Path Traversal SAP
NVD Exploit-DB VulDB
EPSS 1% CVSS 6.1
MEDIUM POC This Month

Cross-site scripting (XSS) vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 allows remote attackers to inject arbitrary web script or HTML via the navigationTarget parameter to. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS SAP Java +1
NVD
EPSS 14% CVSS 9.1
CRITICAL POC THREAT Emergency

XML external entity (XXE) vulnerability in the Configuration Wizard in SAP NetWeaver Java AS 7.1 through 7.5 allows remote attackers to cause a denial of service, conduct SMB Relay attacks, or access. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 13.9%.

Denial Of Service XXE SAP +2
NVD Exploit-DB
EPSS 1% CVSS 5.3
MEDIUM This Month

The chat feature in the Real-Time Collaboration (RTC) services 7.3 and 7.4 in SAP NetWeaver Java AS 7.1 through 7.5 allows remote attackers to obtain sensitive user information by visiting. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Information Disclosure Java +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Multiple use-after-free vulnerabilities in SAP 3D Visual Enterprise Viewer allow remote attackers to execute arbitrary code via a crafted SketchUp document. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE SAP 3D Visual Enterprise Viewer +1
NVD
EPSS 84% 5.5 CVSS 7.5
HIGH POC THREAT Act Now

Directory traversal vulnerability in the GetFileList function in the SAP Manufacturing Integration and Intelligence (xMII) component 15.0 for SAP NetWeaver 7.4 allows remote attackers to read. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 83.7%.

Path Traversal SAP Netweaver
NVD Exploit-DB
EPSS 62% 5.9 CVSS 5.3
MEDIUM POC KEV THREAT This Month

The Universal Worklist Configuration in SAP NetWeaver AS JAVA 7.4 allows remote attackers to obtain sensitive user information via a crafted HTTP request, aka SAP Security Note 2256846. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available.

Java SAP Information Disclosure
NVD Exploit-DB VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Multiple cross-site scripting (XSS) vulnerabilities in the Java Proxy Runtime ProxyServer servlet in SAP NetWeaver 7.4 allow remote attackers to inject arbitrary web script or HTML via the (1) ns or. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS SAP Java +1
NVD
EPSS 44% 6.3 CVSS 9.8
CRITICAL POC KEV THREAT Emergency

SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2101079. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available.

SAP SQLi
NVD GitHub Exploit-DB VulDB
EPSS 1% CVSS 9.3
CRITICAL Act Now

The XS engine in SAP HANA allows remote attackers to spoof log entries in trace files and consequently cause a denial of service (disk consumption and process crash) via a crafted HTTP request,. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service SAP Hana
NVD
EPSS 37% CVSS 9.8
CRITICAL Emergency

Buffer overflow in the XS engine (hdbxsengine) in SAP HANA allows remote attackers to cause a denial of service or execute arbitrary code via a crafted HTTP request, related to JSON, aka SAP Security. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 37.3% and no vendor patch available.

Denial Of Service RCE SAP +2
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Multiple cross-site scripting (XSS) vulnerabilities in SAP NetWeaver 7.4 allow remote attackers to inject arbitrary web script or HTML via vectors related to the (1) Runtime Workbench (RWB) or (2). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS SAP Netweaver
NVD
EPSS 13% CVSS 5.3
MEDIUM POC THREAT This Month

The User Management Engine (UME) in SAP NetWeaver 7.4 allows attackers to decrypt unspecified data via unknown vectors, aka SAP Security Note 2191290. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 12.6%.

SAP Information Disclosure Netweaver
NVD Exploit-DB
EPSS 0% CVSS 9.1
CRITICAL Act Now

SAP Afaria 7.0.6001.5 allows remote attackers to bypass authorization checks and wipe or lock mobile devices via a crafted request, related to "Insecure signature," aka SAP Security Note 2134905. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation SAP Afaria
NVD
EPSS 0% CVSS 7.5
HIGH This Week

The SysAdminWebTool servlets in SAP Mobile Platform allow remote attackers to bypass authentication and obtain sensitive information, gain privileges, or have unspecified other impact via unknown. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation SAP Mobile Platform
NVD
EPSS 3% CVSS 7.8
HIGH This Week

The PCo agent in SAP Plant Connectivity (PCo) allows remote attackers to cause a denial of service (memory corruption and agent crash) via crafted xMII requests, aka SAP Security Note 2238619. Rated high severity (CVSS 7.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service SAP Buffer Overflow +1
NVD
EPSS 0% CVSS 5.0
MEDIUM This Month

SAP Manufacturing Integration and Intelligence (aka MII, formerly xMII) uses weak encryption (Base64 and DES), which allows attackers to conduct downgrade attacks and decrypt passwords via. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure SAP Manufacturing Integration And Intelligence
NVD
EPSS 2% CVSS 7.5
HIGH This Week

The SQL interface in SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allows remote attackers to execute arbitrary code via unspecified vectors related to "SQL Login," aka SAP Security Note 2197428. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE SAP Hana
NVD
EPSS 1% CVSS 7.5
HIGH This Week

The Extended Application Services (aka XS or XS Engine) in SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allows remote attackers to execute arbitrary code via unspecified vectors related to "HTTP. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE SAP Hana
NVD
EPSS 0% CVSS 4.0
MEDIUM This Month

SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allows remote authenticated users to cause a denial of service (memory corruption and indexserver crash) via unspecified vectors to the. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service SAP Buffer Overflow +1
NVD
EPSS 0% CVSS 5.0
MEDIUM This Month

The Web Dispatcher service in SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allows remote attackers to read web dispatcher and security trace files and possibly obtain passwords via unspecified. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Information Disclosure Hana
NVD
EPSS 4% CVSS 10.0
CRITICAL Act Now

SAP HANA Database 1.00 SPS10 and earlier do not require authentication, which allows remote attackers to execute arbitrary code or have unspecified other impact via a TrexNet packet to the (1). Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE SAP Hana
NVD
EPSS 3% CVSS 6.8
MEDIUM This Month

SAP 3D Visual Enterprise Viewer (VEV) allows remote attackers to execute arbitrary code via a crafted (1) U3D, (2) LWO, (3) JPEG2000, or (4) FBX file, aka "Out-Of-Bounds Indexing" vulnerabilities. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

RCE SAP Buffer Overflow +1
NVD
EPSS 2% CVSS 6.8
MEDIUM This Month

SAP 3D Visual Enterprise Viewer (VEV) allows remote attackers to execute arbitrary code via a crafted Filmbox document, which triggers memory corruption. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

RCE SAP Buffer Overflow +1
NVD
EPSS 3% CVSS 6.8
MEDIUM This Month

Multiple buffer overflows in SAP 3D Visual Enterprise Viewer (VEV) allow remote attackers to execute arbitrary code via a crafted (1) 3DM or (2) Flic Animation file. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

RCE SAP Buffer Overflow +1
NVD
EPSS 27% CVSS 7.5
HIGH POC THREAT Act Now

The index server (hdbindexserver) in SAP HANA 1.00.095 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via an HTTP request, aka SAP Security Note. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 27.3%.

Denial Of Service RCE SAP +2
NVD Exploit-DB
EPSS 2% CVSS 10.0
CRITICAL Act Now

SAP BusinessObjects BI Platform 4.1, BusinessObjects Edge 4.0, and BusinessObjects XI (BOXI) 3.1 R3 allow remote attackers to cause a denial of service (out-of-bounds read and listener crash) via a. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service SAP Buffer Overflow +3
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Eval injection in test-net.xsjs in the Web-based Development Workbench in SAP HANA Developer Edition DB 1.00.091.00.1418659308 allows remote authenticated users to execute arbitrary XSJS code via. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE SAP Code Injection +1
NVD
EPSS 0% CVSS 3.5
LOW Monitor

Cross-site scripting (XSS) vulnerability in user creation in the Web-based Development Workbench in SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allows remote authenticated users to inject arbitrary. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable. No vendor patch available.

XSS SAP Hana
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

Multiple SQL injection vulnerabilities in the Web-based Development Workbench in SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allow remote authenticated users to execute arbitrary SQL commands via. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi SAP Hana
NVD
EPSS 0% CVSS 3.5
LOW Monitor

Cross-site scripting (XSS) vulnerability in role deletion in the Web-based Development Workbench in SAP HANA DB 1.00.091.00.1418659308 allows remote authenticated users to inject arbitrary web script. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable. No vendor patch available.

XSS SAP Hana
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

Multiple SQL injection vulnerabilities in the Web-based Development Workbench in SAP HANA DB 1.00.091.00.1418659308 allow remote authenticated users to execute arbitrary SQL commands via the (1). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi SAP Hana
NVD
EPSS 0% CVSS 7.2
HIGH This Week

The hdbsql client 1.00.091.00 Build 1418659308-1530 in SAP HANA allows local users to cause a denial of service (memory corruption) and possibly have unspecified other impact via unknown vectors, aka. Rated high severity (CVSS 7.2), this vulnerability is low attack complexity. No vendor patch available.

Denial Of Service SAP Buffer Overflow +1
NVD
EPSS 0% CVSS 7.5
HIGH This Week

SQL injection vulnerability in the BP_FIND_JOBS_WITH_PROGRAM function module in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi SAP Netweaver J2Ee Engine
NVD
EPSS 1% CVSS 6.8
MEDIUM This Month

XML external entity (XXE) vulnerability in the application import functionality in SAP Mobile Platform 2.3 allows remote attackers to read arbitrary files and possibly have other unspecified impact. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

XXE SAP Mobile Platform
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-site scripting (XSS) vulnerability in the Client form in the Device Inspector page in SAP Afaria 7 allows remote attackers to inject arbitrary web script or HTML via crafted client name data,. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

XSS SAP Afaria
NVD
EPSS 1% CVSS 6.8
MEDIUM This Month

XML external entity (XXE) vulnerability in SAP NetWeaver Portal 7.4 allows remote attackers to read arbitrary files and possibly have other unspecified impact via crafted XML data, aka SAP Security. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

XXE SAP Netweaver
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Untrusted search path vulnerability in SAP Enterprise Central Component (ECC) allows local users to gain privileges via a Trojan horse program. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure SAP Enterprise Central Component
NVD
EPSS 0% CVSS 7.2
HIGH This Week

The Windows client in SAP Afaria 7.0.6398.0 uses weak permissions (Everyone: read and Everyone: write) for the install folder, which allows local users to gain privileges via a Trojan horse. Rated high severity (CVSS 7.2), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure SAP Microsoft +1
NVD
EPSS 1% CVSS 7.5
HIGH This Week

XML external entity (XXE) vulnerability in SAP Mobile Platform 3 allows remote attackers to read arbitrary files or possibly have other unspecified impact via a crafted XML request, aka SAP Security. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE SAP Mobile Platform
NVD
EPSS 2% CVSS 7.5
HIGH This Week

The (1) Cross-System Tools and (2) Data Transfer Workbench in SAP NetWeaver have hardcoded credentials, which allows remote attackers to obtain access via unspecified vectors, aka SAP Security Notes. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Authentication Bypass Netweaver
NVD
EPSS 0% CVSS 7.5
HIGH POC This Week

SAP Adaptive Server Enterprise (ASE) before 15.7 SP132 and 16.0 before 16.0 SP01 allows remote attackers to bypass the challenge and response mechanism and obtain access to the probe account via a. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation SAP Adaptive Server Enterprise
NVD
EPSS 0% CVSS 7.5
HIGH POC This Week

SAP Afaria does not properly restrict access to unspecified functionality, which allows remote attackers to obtain sensitive information, gain privileges, or have other unspecified impact via unknown. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation SAP Afaria
NVD
EPSS 0% CVSS 7.5
HIGH POC This Week

SQL injection vulnerability in SAP ASE Database Platform allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Notes: 2152278. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi SAP Ase Database Platform
NVD
EPSS 0% CVSS 7.5
HIGH POC This Week

SQL injection vulnerability in SAP HANA Web-based Development Workbench allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Notes 2153892. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi SAP Hana Web Based Development Workbench
NVD
EPSS 0% CVSS 5.0
MEDIUM POC This Month

SAP ABAP & Java Server allows remote attackers to cause a denial of service (service termination) via unspecified vectors, aka SAP Security Note 2121661. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service SAP Java +2
NVD
EPSS 0% CVSS 5.0
MEDIUM POC This Month

SAP Content Server allows remote attackers to cause a denial of service (service termination) via unspecified vectors, aka SAP Security Note 2127995. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service SAP Content Server
NVD
EPSS 1% CVSS 7.5
HIGH POC This Week

Stack-based buffer overflow in the LZC decompression implementation (CsObjectInt::CsDecomprLZC function in vpa106cslzc.cpp) in SAP MaxDB 7.5 and 7.6, Netweaver Application Server ABAP, Netweaver. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service RCE SAP +7
NVD
EPSS 1% CVSS 5.0
MEDIUM POC This Month

The LZH decompression implementation (CsObjectInt::BuildHufTree function in vpa108csulzh.cpp) in SAP MaxDB 7.5 and 7.6, Netweaver Application Server ABAP, Netweaver Application Server Java, Netweaver. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service SAP Buffer Overflow +6
NVD
EPSS 0% CVSS 4.0
MEDIUM This Month

SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allows remote authenticated users to read arbitrary files via an IMPORT FROM SQL statement, aka SAP Security Note 2109565. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Information Disclosure Hana
NVD
EPSS 0% CVSS 4.0
MEDIUM This Month

The grant.xsfunc application in testApps/grantAccess/ in the XS Engine in SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allows remote authenticated users to spoof log entries via a crafted request,. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure SAP Hana
NVD
EPSS 2% CVSS 7.5
HIGH This Week

Buffer overflow in the XComms process in SAP Afaria 7.00.6620.2 SP5 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted request, aka SAP. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service RCE SAP +2
NVD
EPSS 1% CVSS 7.5
HIGH This Week

XML external entity (XXE) vulnerability in SAP NetWeaver AS Java 7.4 allows remote attackers to send TCP requests to intranet servers or possibly have unspecified other impact via an XML request to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE SAP Java +1
NVD
EPSS 0% CVSS 5.0
MEDIUM This Month

SAP NetWeaver RFC SDK allows attackers to obtain sensitive information via unspecified vectors, aka SAP Security Note 2084037. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Information Disclosure Netweaver Rfc Sdk
NVD
EPSS 0% CVSS 7.5
HIGH This Week

SQL injection vulnerability in the Business Rules Framework (CRM-BF-BRF) in SAP CRM allows attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2097534. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi SAP Customer Relationship Management
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Unspecified vulnerability in the Business Rules Framework (CRM-BF-BRF) in SAP CRM allows attackers to execute arbitrary code via unknown vectors, aka SAP Security Note 2097534. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE SAP Customer Relationship Management
NVD
EPSS 0% CVSS 2.1
LOW Monitor

SAP Sybase Unwired Platform Online Data Proxy allows local users to obtain usernames and passwords via the DataVault, aka SAP Security Note 2094830. Rated low severity (CVSS 2.1), this vulnerability is low attack complexity. No vendor patch available.

SAP Information Disclosure Sybase Unwired Platform Online Data Proxy
NVD
EPSS 4% CVSS 5.0
MEDIUM This Month

Buffer overflow in XcListener in SAP Afaria 7.0.6001.5 allows remote attackers to cause a denial of service (process termination) via a crafted request, aka SAP Security Note 2132584. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service SAP Buffer Overflow +1
NVD
EPSS 3% CVSS 5.0
MEDIUM This Month

SAP Sybase SQL Anywhere 11 and 16 allows remote attackers to cause a denial of service (crash) via a crafted request, aka SAP Security Note 2108161. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service SAP Sql Anywhere
NVD
EPSS 0% CVSS 5.0
MEDIUM This Month

XML external entity (XXE) vulnerability in SAP Mobile Platform 3 allows remote attackers to send requests to intranet servers via crafted XML, aka SAP Security Note 2125513. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE SAP Mobile Platform
NVD
EPSS 0% CVSS 5.0
MEDIUM This Month

The SAP Management Console in SAP NetWeaver 7.40 allows remote attackers to obtain sensitive information via the ReadProfile parameters, aka SAP Security Note 2091768. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Information Disclosure Netweaver
NVD
EPSS 1% CVSS 7.5
HIGH This Week

The XcListener in SAP Afaria 7.0.6001.5 does not properly restrict access, which allows remote attackers to have unspecified impact via a crafted request, aka SAP Security Note 2134905. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Authentication Bypass Afaria
NVD
EPSS 3% CVSS 6.5
MEDIUM This Month

Buffer overflow in the C_SAPGPARAM function in the NetWeaver Dispatcher in SAP KERNEL 7.00 (7000.52.12.34966) and 7.40 (7400.12.21.30308) allows remote authenticated users to cause a denial of. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service RCE SAP +2
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

SAP EMR Unwired (com.sap.mobile.healthcare.emr.v2) and Clinical Task Tracker (com.sap.mobile.healthcare.ctt) does not properly restrict access, which allows remote attackers to change the backendurl,. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation SAP Clinical Task Tracker +1
NVD
EPSS 1% CVSS 5.0
MEDIUM This Month

XML external entity (XXE) vulnerability in SAP Mobile Platform allows remote attackers to send requests to intranet servers via crafted XML, aka SAP Security Note 2125358. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE SAP Mobile Platform
NVD
EPSS 1% CVSS 5.0
MEDIUM This Month

XML external entity (XXE) vulnerability in XMLValidationComponent in SAP NetWeaver Portal 7.31.201109172004 allows remote attackers to send requests to intranet servers via crafted XML, aka SAP. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE SAP Netweaver Enterprise Portal
NVD
EPSS 1% CVSS 5.0
MEDIUM This Month

XML external entity (XXE) vulnerability in ReportXmlViewer in SAP NetWeaver Portal 7.31.201109172004 allows remote attackers to send requests to intranet servers via crafted XML, aka SAP Security. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE SAP Netweaver Enterprise Portal
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

HP Operations Manager i Management Pack 1.x before 1.01 for SAP allows local users to execute OS commands by leveraging SAP administrative privileges. Rated medium severity (CVSS 6.8), this vulnerability is low attack complexity. No vendor patch available.

HP SAP Authentication Bypass +1
NVD
EPSS 0% CVSS 5.0
MEDIUM This Month

The Auditing service in SAP BusinessObjects Edge 4.0 allows remote attackers to obtain sensitive information by reading an audit event, aka SAP Note 2011395. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Information Disclosure Businessobjects Edge
NVD
EPSS 1% CVSS 5.0
MEDIUM This Month

SAP BusinessObjects Edge 4.0 allows remote attackers to delete audit events from the auditee queue via a clearData CORBA operation, aka SAP Note 2011396. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation SAP Businessobjects Edge
NVD
EPSS 0% CVSS 4.3
MEDIUM POC This Month

Multiple cross-site scripting (XSS) vulnerabilities in SAP HANA 73 (1.00.73.00.389160) and HANA Developer Edition 80 (1.00.80.00.391861) allow remote attackers to inject arbitrary web script or HTML. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

XSS SAP Hana
NVD
EPSS 0% CVSS 7.5
HIGH This Week

The Dealer Portal in SAP ERP does not properly restrict access, which allows remote attackers to obtain sensitive information, gain privileges, and possibly have other unspecified impact via unknown. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation SAP Enterprise Resource Planning
NVD
Prev Page 17 of 19 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy