Skip to main content

SAP

1669 CVEs vendor

Monthly

CVE-2024-28167 MEDIUM This Month

SAP Group Reporting Data Collection does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass SAP
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2024-27901 HIGH This Week

SAP Asset Accounting could allow a high privileged attacker to exploit insufficient validation of path information provided by the users and pass it through to the file API's. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure SAP
NVD
CVSS 3.1
7.2
EPSS
0.7%
CVE-2024-27899 HIGH This Week

Self-Registration and Modify your own profile in User Admin Application of NetWeaver AS Java does not enforce proper security requirements for the content of the newly defined security answer. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Information Disclosure SAP
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2024-27898 MEDIUM This Month

SAP NetWeaver application, due to insufficient input validation, allows an attacker to send a crafted request from a vulnerable web application targeting internal systems behind firewalls that are. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF SAP Netweaver
NVD
CVSS 3.1
5.3
EPSS
0.4%
CVE-2024-25646 MEDIUM PATCH This Month

Due to improper validation, SAP BusinessObject Business Intelligence Launch Pad allows an authenticated attacker to access operating system information using crafted document. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Permission Assignment vulnerability could allow attackers to access resources due to misconfigured permissions.

Information Disclosure SAP Businessobjects Web Intelligence
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2024-28163 MEDIUM This Month

Under certain conditions, Support Web Pages of SAP NetWeaver Process Integration (PI) - versions 7.50, allows an attacker to access information which would otherwise be restricted, causing low impact. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure SAP Netweaver Process Integration
NVD
CVSS 3.1
5.3
EPSS
0.4%
CVE-2024-27902 MEDIUM This Month

Applications based on SAP GUI for HTML in SAP NetWeaver AS ABAP - versions 7.89, 7.93, do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS SAP Netweaver As Abap
NVD
CVSS 3.1
6.1
EPSS
0.5%
CVE-2024-27900 MEDIUM This Month

Due to missing authorization check, attacker with business user account in SAP ABAP Platform - version 758, 795, can change the privacy setting of job templates from shared to private. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass SAP Abap Platform
NVD
CVSS 3.1
5.3
EPSS
0.4%
CVE-2024-25645 MEDIUM This Month

Under certain condition SAP NetWeaver (Enterprise Portal) - version 7.50 allows an attacker to access information which would otherwise be restricted causing low impact on confidentiality of the. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure SAP Netweaver Enterprise Portal
NVD
CVSS 3.1
5.3
EPSS
0.4%
CVE-2024-25644 MEDIUM This Month

Under certain conditions SAP NetWeaver WSRM - version 7.50, allows an attacker to access information which would otherwise be restricted, causing low impact on Confidentiality with no impact on. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure SAP Netweaver
NVD
CVSS 3.1
5.3
EPSS
0.4%
CVE-2024-22133 MEDIUM This Month

SAP Fiori Front End Server - version 605, allows altering of approver details on the read-only field when sending leave request information. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass SAP Fiori Front End Server
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2024-22127 CRITICAL Act Now

SAP NetWeaver Administrator AS Java (Administrator Log Viewer plug-in) - version 7.50, allows an attacker with high privileges to upload potentially dangerous files which leads to command injection. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Command Injection SAP Netweaver Application Server Java
NVD
CVSS 3.1
9.1
EPSS
1.6%
CVE-2024-25643 MEDIUM This Month

The SAP Fiori app (My Overtime Request) - version 605, does not perform the necessary authorization checks for an authenticated user which may result in an escalation of privileges. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass SAP Fiori
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2024-24741 MEDIUM This Month

SAP Master Data Governance for Material Data - versions 618, 619, 620, 621, 622, 800, 801, 802, 803, 804, does not perform necessary authorization check for an authenticated user, resulting in. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass SAP Master Data Governance For Material Data
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2024-22129 HIGH This Week

SAP Companion - version <3.1.38, has a URL with parameter that could be vulnerable to XSS attack. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS SAP Companion
NVD
CVSS 3.1
7.6
EPSS
0.3%
CVE-2024-25642 HIGH This Week

Due to improper validation of certificate in SAP Cloud Connector - version 2.0, attacker can impersonate the genuine servers to interact with SCC breaking the mutual authentication. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure SAP Cloud Connector
NVD
CVSS 3.1
7.4
EPSS
0.5%
CVE-2024-24743 HIGH This Week

SAP NetWeaver AS Java (CAF - Guided Procedures) - version 7.50, allows an unauthenticated attacker to submit a malicious request with a crafted XML file over the network, which when parsed will. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java XXE SAP Netweaver Application Server Java
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2024-24742 MEDIUM This Month

SAP CRM WebClient UI - version S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, WEBCUIF 701, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800, WEBCUIF 801, does not sufficiently. Rated medium severity (CVSS 4.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS SAP Crm Webclient Ui
NVD
CVSS 3.1
4.1
EPSS
0.3%
CVE-2024-24740 MEDIUM This Month

SAP NetWeaver Application Server (ABAP) - versions KERNEL 7.53, KERNEL 7.54, KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.93, KERNEL 7.94, KRNL64UC 7.53, under certain conditions, allows an. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure SAP Netweaver Application Server Abap
NVD
CVSS 3.1
5.3
EPSS
0.4%
CVE-2024-24739 MEDIUM This Month

SAP Bank Account Management (BAM) allows an authenticated user with restricted access to use functions which can result in escalation of privileges with low impact on confidentiality, integrity and. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass SAP Bank Account Management
NVD
CVSS 3.1
6.3
EPSS
0.3%
CVE-2024-22132 MEDIUM This Month

SAP IDES ECC-systems contain code that permits the execution of arbitrary program code of user's choice.An attacker can therefore control the behaviour of the system by executing malicious code which. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection SAP Ides Ecc
NVD
CVSS 3.1
6.3
EPSS
0.5%
CVE-2024-22131 HIGH This Week

In SAP ABA (Application Basis) - versions 700, 701, 702, 731, 740, 750, 751, 752, 75C, 75I, an attacker authenticated as a user with a remote execution authorization can use a vulnerable interface. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection RCE SAP Abap Platform
NVD
CVSS 3.1
7.2
EPSS
1.1%
CVE-2024-22130 MEDIUM This Month

Print preview option in SAP CRM WebClient UI - versions S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, S4FND 107, S4FND 108, WEBCUIF 700, WEBCUIF 701, WEBCUIF 730, WEBCUIF 731, WEBCUIF 746,. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS SAP Crm Webclient Ui
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2024-22128 MEDIUM This Month

SAP NWBC for HTML - versions SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, does not sufficiently encode user-controlled inputs, resulting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS SAP Netweaver Business Client For Html
NVD
CVSS 3.1
6.1
EPSS
0.4%
CVE-2024-22126 MEDIUM This Month

The User Admin application of SAP NetWeaver AS for Java - version 7.50, insufficiently validates and improperly encodes the incoming URL parameters before including them into the redirect URL. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Java SAP Netweaver Application Server Java
NVD
CVSS 3.1
6.1
EPSS
0.5%
CVE-2024-22125 HIGH This Month

Under certain conditions the Microsoft Edge browser extension (SAP GUI connector for Microsoft Edge) - version 1.0, allows an attacker to access highly sensitive information which would otherwise be. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft SAP Information Disclosure Gui Connector
NVD
CVSS 3.1
7.4
EPSS
0.5%
CVE-2024-22124 MEDIUM Monitor

Under certain conditions, Internet Communication Manager (ICM) or SAP Web Dispatcher - versions KERNEL 7.22, KERNEL 7.53, KERNEL 7.54, KRNL64UC 7.22, KRNL64UC 7.22EXT, KRNL64UC 7.53, KRNL64NUC 7.22,. Rated medium severity (CVSS 4.1). No vendor patch available.

SAP Information Disclosure Netweaver
NVD
CVSS 3.1
4.1
EPSS
0.1%
CVE-2024-21738 MEDIUM Monitor

SAP NetWeaver ABAP Application Server and ABAP Platform do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. Rated medium severity (CVSS 4.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS SAP Netweaver Application Server Abap
NVD
CVSS 3.1
4.1
EPSS
0.2%
CVE-2024-21737 HIGH This Month

In SAP Application Interface Framework File Adapter - version 702, a high privilege user can use a function module to traverse through various layers and execute OS commands directly. Rated high severity (CVSS 8.4), this vulnerability is low attack complexity. No vendor patch available.

SAP RCE Code Injection Application Interface Framework
NVD
CVSS 3.1
8.4
EPSS
0.2%
CVE-2024-21736 MEDIUM This Month

SAP S/4HANA Finance for (Advanced Payment Management) - versions SAPSCORE 128, S4CORE 107, does not perform necessary authorization checks. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass SAP S 4Hana Finance
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2024-21735 HIGH This Month

SAP LT Replication Server - version S4CORE 103, S4CORE 104, S4CORE 105, S4CORE 106, S4CORE 107, S4CORE 108, does not perform necessary authorization checks. Rated high severity (CVSS 7.3). No vendor patch available.

Authentication Bypass SAP Lt Replication Server
NVD
CVSS 3.1
7.3
EPSS
0.1%
CVE-2024-21734 LOW Monitor

SAP Marketing (Contacts App) - version 160, allows an attacker with low privileges to trick a user to open malicious page which could lead to a very convincing phishing attack with low impact on. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable. No vendor patch available.

Open Redirect SAP Marketing
NVD
CVSS 3.1
3.7
EPSS
0.2%
CVE-2023-50424 LIB CRITICAL PATCH Act Now

SAP BTP Security Services Integration Library ([Golang] github.com/sap/cloud-security-client-go) - versions < 0.17.0, allow under certain conditions an escalation of privileges. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Privilege Escalation Cloud Security Client Go
NVD GitHub
CVSS 3.1
9.8
EPSS
1.1%
CVE-2023-50423 PyPI CRITICAL PATCH Act Now

SAP BTP Security Services Integration Library ([Python] sap-xssec) - versions < 4.1.0, allow under certain conditions an escalation of privileges. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Python Privilege Escalation Sap Xssec
NVD GitHub
CVSS 3.1
9.8
EPSS
1.1%
CVE-2023-50422 LIB CRITICAL PATCH Act Now

SAP BTP Security Services Integration Library ([Java] cloud-security-services-integration-library) - versions below 2.17.0 and versions from 3.0.0 to before 3.3.0, allow under certain conditions an. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Privilege Escalation Cloud Security Services Integration Library
NVD GitHub
CVSS 3.1
9.8
EPSS
1.4%
CVE-2023-49587 MEDIUM This Month

SAP Solution Manager - version 720, allows an authorized attacker to execute certain deprecated function modules which can read or modify data of same or other component without user interaction over. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Command Injection Solution Manager
NVD
CVSS 3.1
6.4
EPSS
0.4%
CVE-2023-49584 MEDIUM This Month

SAP Fiori launchpad - versions SAP_UI 750, SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, UI_700 200, SAP_BASIS 793, allows an attacker to use HTTP verb POST on read-only service causing. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Information Disclosure Request Smuggling Fiori Launchpad
NVD
CVSS 3.1
4.3
EPSS
0.5%
CVE-2023-49583 npm CRITICAL PATCH Act Now

SAP BTP Security Services Integration Library ([Node.js] @sap/xssec - versions < 3.6.0, allow under certain conditions an escalation of privileges. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Node.js Privilege Escalation Sap Xssec
NVD
CVSS 3.1
9.8
EPSS
1.1%
CVE-2023-49581 CRITICAL Act Now

SAP GUI for Windows and SAP GUI for Java allow an unauthenticated attacker to access information which would otherwise be restricted and confidential. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Java Microsoft SQLi Netweaver Application Server Abap
NVD
CVSS 3.1
9.4
EPSS
0.5%
CVE-2023-49580 HIGH This Week

SAP GUI for Windows and SAP GUI for Java - versions SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, allow an unauthenticated attacker to access information which would otherwise be. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Java Information Disclosure Microsoft Graphical User Interface
NVD
CVSS 3.1
7.3
EPSS
0.5%
CVE-2023-49578 LOW Monitor

SAP Cloud Connector - version 2.0, allows an authenticated user with low privilege to perform Denial of service attack from adjacent UI by sending a malicious request which leads to low impact on the. Rated low severity (CVSS 3.5), this vulnerability is low attack complexity. No vendor patch available.

SAP Denial Of Service Cloud Connector
NVD
CVSS 3.1
3.5
EPSS
0.3%
CVE-2023-49577 MEDIUM This Month

The SAP HCM (SMART PAYE solution) - versions S4HCMCIE 100, SAP_HRCIE 600, SAP_HRCIE 604, SAP_HRCIE 608, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP XSS Human Capital Management
NVD
CVSS 3.1
6.1
EPSS
0.4%
CVE-2023-49058 MEDIUM This Month

SAP Master Data Governance File Upload application allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing ‘traverse to parent. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Path Traversal File Upload Master Data Governance
NVD
CVSS 3.1
5.3
EPSS
0.6%
CVE-2023-42481 HIGH This Week

In SAP Commerce Cloud - versions HY_COM 1905, HY_COM 2005, HY_COM2105, HY_COM 2011, HY_COM 2205, COM_CLOUD 2211, a locked B2B user can misuse the forgotten password functionality to un-block his user. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Information Disclosure Commerce Cloud
NVD
CVSS 3.1
8.1
EPSS
0.5%
CVE-2023-42478 HIGH This Week

SAP Business Objects Business Intelligence Platform is vulnerable to stored XSS allowing an attacker to upload agnostic documents in the system which when opened by any other user could lead to high. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP XSS Business Objects Business Intelligence Platform
NVD
CVSS 3.1
7.6
EPSS
0.6%
CVE-2023-42476 MEDIUM This Month

SAP Business Objects Web Intelligence - version 420, allows an authenticated attacker to inject JavaScript code into Web Intelligence documents which is then executed in the victim’s browser each. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP XSS Businessobjects Web Intelligence
NVD
CVSS 3.1
6.8
EPSS
0.6%
CVE-2023-42480 MEDIUM This Month

The unauthenticated attacker in NetWeaver AS Java Logon application - version 7.50, can brute force the login functionality to identify the legitimate user ids. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Java Information Disclosure Netweaver Application Server Java
NVD
CVSS 3.1
5.3
EPSS
0.5%
CVE-2023-41366 MEDIUM This Month

Under certain condition SAP NetWeaver Application Server ABAP - versions KERNEL 722, KERNEL 7.53, KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.54, KERNEL 7.91, KERNEL 7.92, KERNEL 7.93, KERNEL. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Information Disclosure Netweaver Application Server Abap
NVD
CVSS 3.1
5.3
EPSS
0.6%
CVE-2023-31403 HIGH This Week

SAP Business One installation - version 10.0, does not perform proper authentication and authorization checks for SMB shared folder. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. No vendor patch available.

SAP Authentication Bypass Business One
NVD
CVSS 3.1
8.0
EPSS
0.4%
CVE-2023-36920 MEDIUM This Month

In SAP Enable Now - versions WPB_MANAGER 1.0, WPB_MANAGER_CE 10, WPB_MANAGER_HANA 10, ENABLE_NOW_CONSUMP_DEL 1704, the X-FRAME-OPTIONS response header is not implemented, allowing an unauthenticated. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP XSS Enable Now Enable Now Consump Del Enable Now Wpb Manager Enable Now Wpb Manager Ce +1
NVD
CVSS 3.1
6.1
EPSS
0.3%
CVE-2023-42477 MEDIUM This Month

SAP NetWeaver AS Java (GRMG Heartbeat application) - version 7.50, allows an attacker to send a crafted request from a vulnerable web application, causing limited impact on confidentiality and. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Java SSRF Netweaver Application Server Java
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2023-42474 MEDIUM This Month

SAP BusinessObjects Web Intelligence - version 420, has a URL with parameter that could be vulnerable to XSS attack. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP XSS Businessobjects Web Intelligence
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2023-41365 MEDIUM This Month

SAP Business One (B1i) - version 10.0, allows an authorized attacker to retrieve the details stack trace of the fault message to conduct the XXE injection, which will lead to information disclosure. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Information Disclosure XXE Business One
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2023-40310 HIGH This Week

SAP PowerDesigner Client - version 16.7, does not sufficiently validate BPMN2 XML document imported from an untrusted source. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Information Disclosure Powerdesigner
NVD
CVSS 3.1
7.5
EPSS
0.8%
CVE-2023-40624 MEDIUM This Month

SAP NetWeaver AS ABAP (applications based on Unified Rendering) - versions SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, SAP_BASIS 702, SAP_BASIS 731, allows an attacker to inject. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP XSS Netweaver Application Server Abap
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2023-40623 HIGH This Week

SAP BusinessObjects Suite Installer - version 420, 430, allows an attacker within the network to create a directory under temporary directory and link it to a directory with operating system files. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Information Disclosure Businessobjects
NVD
CVSS 3.1
7.1
EPSS
0.4%
CVE-2023-40622 CRITICAL Act Now

SAP BusinessObjects Business Intelligence Platform (Promotion Management) - versions 420, 430, under certain condition allows an authenticated attacker to view sensitive information which is. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Information Disclosure Businessobjects Business Intelligence
NVD
CVSS 3.1
9.9
EPSS
0.5%
CVE-2023-40621 MEDIUM This Month

SAP PowerDesigner Client - version 16.7, allows an unauthenticated attacker to inject VBScript code in a document and have it opened by an unsuspecting user, to have it executed by the application on. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP RCE Code Injection Powerdesigner
NVD
CVSS 3.1
6.3
EPSS
0.6%
CVE-2023-40309 CRITICAL Act Now

SAP CommonCryptoLib does not perform necessary authentication checks, which may result in missing or wrong authorization checks for an authenticated user, resulting in escalation of privileges. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Authentication Bypass Commoncryptolib Content Server Extended Application Services And Runtime +6
NVD
CVSS 3.1
9.8
EPSS
0.7%
CVE-2023-42472 HIGH This Week

Due to insufficient file type validation, SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface) - version 420, allows a report creator to upload files from local system. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP File Upload Information Disclosure Businessobjects Business Intelligence Platform
NVD
CVSS 3.1
7.3
EPSS
0.5%
CVE-2023-41369 PyPI MEDIUM This Month

The Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, 107, 108, allows an attacker to upload the XML file as an attachment. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP XXE S 4 Hana
NVD
CVSS 3.1
4.3
EPSS
0.4%
CVE-2023-41367 MEDIUM This Month

Due to missing authentication check in webdynpro application, an unauthorized user in SAP NetWeaver (Guided Procedures) - version 7.50, can gain access to admin view of specific function anonymously. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Authentication Bypass Netweaver
NVD
CVSS 3.1
5.3
EPSS
0.4%
CVE-2023-40308 HIGH This Week

SAP CommonCryptoLib allows an unauthenticated attacker to craft a request, which when submitted to an open port causes a memory corruption error in a library which in turn causes the target component. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Buffer Overflow SAP Commoncryptolib Content Server +7
NVD
CVSS 3.1
7.5
EPSS
0.6%
CVE-2023-37489 MEDIUM This Month

Due to the lack of validation, SAP BusinessObjects Business Intelligence Platform (Version Management System) - version 403, permits an unauthenticated user to read the code snippet through the UI,. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Information Disclosure Businessobjects Business Intelligence
NVD
CVSS 3.1
5.3
EPSS
0.4%
CVE-2023-40306 MEDIUM This Month

SAP S/4HANA Manage Catalog Items and Cross-Catalog searches Fiori apps allow an attacker to redirect users to a malicious site due to insufficient URL validation. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Open Redirect S 4Hana
NVD
CVSS 3.1
6.1
EPSS
0.3%
CVE-2023-39440 MEDIUM This Month

In SAP BusinessObjects Business Intelligence - version 420, If a user logs in to a particular program, under certain specific conditions memory might not be cleared up properly, due to which attacker. Rated medium severity (CVSS 4.4). No vendor patch available.

SAP Information Disclosure Businessobjects Business Intelligence
NVD
CVSS 3.1
4.4
EPSS
0.1%
CVE-2023-39439 CRITICAL Act Now

SAP Commerce Cloud may accept an empty passphrase for user ID and passphrase authentication, allowing users to log into the system without a passphrase. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Information Disclosure Commerce Cloud Commerce Hycom
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2023-39437 MEDIUM This Month

SAP business One allows - version 10.0, allows an attacker to insert malicious code into the content of a web page or application and gets it delivered to the client, resulting to Cross-site. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP XSS Business One
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2023-39436 MEDIUM This Month

SAP Supplier Relationship Management -versions 600, 602, 603, 604, 605, 606, 616, 617, allows an unauthorized attacker to discover information relating to SRM within Vendor Master Data for Business. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Authentication Bypass Supplier Relationship Management
NVD
CVSS 3.1
5.8
EPSS
0.4%
CVE-2023-37492 MEDIUM This Month

SAP NetWeaver Application Server ABAP and ABAP Platform - versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Authentication Bypass Netweaver Application Server Abap
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2023-37491 HIGH This Week

The ACL (Access Control List) of SAP Message Server - versions KERNEL 7.22, KERNEL 7.53, KERNEL 7.54, KERNEL 7.77, RNL64UC 7.22, RNL64UC 7.22EXT, RNL64UC 7.53, KRNL64NUC 7.22, KRNL64NUC 7.22EXT, can. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Authentication Bypass Message Server
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2023-37490 CRITICAL Act Now

SAP Business Objects Installer - versions 420, 430, allows an authenticated attacker within the network to overwrite an executable file created in a temporary directory during the installation. Rated critical severity (CVSS 9.0), this vulnerability is low attack complexity. No vendor patch available.

SAP Information Disclosure Businessobjects Business Intelligence
NVD
CVSS 3.1
9.0
EPSS
0.2%
CVE-2023-37488 MEDIUM This Month

In SAP NetWeaver Process Integration - versions SAP_XIESR 7.50, SAP_XITOOL 7.50, SAP_XIAF 7.50, user-controlled inputs, if not sufficiently encoded, could result in Cross-Site Scripting (XSS) attack. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP XSS Netweaver Process Integration
NVD
CVSS 3.1
6.1
EPSS
0.3%
CVE-2023-37487 MEDIUM This Month

SAP Business One (Service Layer) - version 10.0, allows an authenticated attacker with deep knowledge perform certain operation to access unintended data over the network which could lead to high. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable. No vendor patch available.

SAP Information Disclosure Business One
NVD
CVSS 3.1
5.3
EPSS
0.4%
CVE-2023-37486 HIGH This Week

Under certain conditions SAP Commerce (OCC API) - versions HY_COM 2105, HY_COM 2205, COM_CLOUD 2211, endpoints allow an attacker to access information which would otherwise be restricted. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Information Disclosure Commerce Cloud Commerce Hycom
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2023-37484 MEDIUM This Month

SAP PowerDesigner - version 16.7, queries all password hashes in the backend database and compares it with the user provided one during login attempt, which might allow an attacker to access password. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Information Disclosure Powerdesigner
NVD
CVSS 3.1
5.3
EPSS
0.4%
CVE-2023-37483 CRITICAL Act Now

SAP PowerDesigner - version 16.7, has improper access control which might allow an unauthenticated attacker to run arbitrary queries against the back-end database via Proxy. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Authentication Bypass Powerdesigner
NVD
CVSS 3.1
9.8
EPSS
1.0%
CVE-2023-36926 MEDIUM This Month

Due to missing authentication check in SAP Host Agent - version 7.22, an unauthenticated attacker can set an undocumented parameter to a particular compatibility value and in turn call read. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Authentication Bypass Host Agent
NVD
CVSS 3.1
5.3
EPSS
0.4%
CVE-2023-36923 HIGH This Week

SAP SQLA for PowerDesigner 17 bundled with SAP PowerDesigner 16.7 SP06 PL03, allows an attacker with local access to the system, to place a malicious library, that can be executed by the application. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

SAP RCE Code Injection Powerdesigner
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2023-33993 HIGH This Week

B1i module of SAP Business One - version 10.0, application allows an authenticated user with deep knowledge to send crafted queries over the network to read or modify the SQL data. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

SAP SQLi Business One
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2023-36925 HIGH This Week

SAP Solution Manager (Diagnostics agent) - version 7.20, allows an unauthenticated attacker to blindly execute HTTP requests. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP SSRF Solution Manager
NVD
CVSS 3.1
7.2
EPSS
0.6%
CVE-2023-36924 MEDIUM This Month

While using a specific function, SAP ERP Defense Forces and Public Security - versions 600, 603, 604, 605, 616, 617, 618, 802, 803, 804, 805, 806, 807, allows an authenticated attacker with admin. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Information Disclosure Erp Defense Forces And Public Security
NVD
CVSS 3.1
4.9
EPSS
0.5%
CVE-2023-36922 HIGH This Week

Due to programming error in function module and report, IS-OIL component in SAP ECC and SAP S/4HANA allows an authenticated attacker to inject an arbitrary operating system command into an. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Command Injection Netweaver
NVD
CVSS 3.1
8.8
EPSS
0.8%
CVE-2023-36921 HIGH This Week

SAP Solution Manager (Diagnostics agent) - version 7.20, allows an attacker to tamper with headers in a client request. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Information Disclosure Solution Manager
NVD
CVSS 3.1
7.2
EPSS
0.7%
CVE-2023-36919 MEDIUM This Month

In SAP Enable Now - versions WPB_MANAGER 1.0, WPB_MANAGER_CE 10, WPB_MANAGER_HANA 10, ENABLE_NOW_CONSUMP_DEL 1704, the Referrer-Policy response header is not implemented, allowing an unauthenticated. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Information Disclosure Enable Now
NVD
CVSS 3.1
5.3
EPSS
0.5%
CVE-2023-36918 MEDIUM This Month

In SAP Enable Now - versions WPB_MANAGER 1.0, WPB_MANAGER_CE 10, WPB_MANAGER_HANA 10, ENABLE_NOW_CONSUMP_DEL 1704, the X-Content-Type-Options response header is not implemented, allowing an. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP XSS Enable Now
NVD
CVSS 3.1
6.1
EPSS
0.4%
CVE-2023-36917 HIGH This Week

SAP BusinessObjects Business Intelligence Platform - version 420, 430, allows an unauthorized attacker who had hijacked a user session, to be able to bypass the victim’s old password via brute force,. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Authentication Bypass Businessobjects Business Intelligence
NVD
CVSS 3.1
7.5
EPSS
0.6%
CVE-2023-35874 HIGH This Week

SAP NetWeaver Application Server ABAP and ABAP Platform - version KRNL64NUC, 7.22, KRNL64NUC 7.22EXT, KRNL64UC 7.22, KRNL64UC 7.22EXT, KRNL64UC 7.53, KERNEL 7.22, KERNEL, 7.53, KERNEL 7.77, KERNEL. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Authentication Bypass Netweaver Application Server Abap
NVD
CVSS 3.1
7.4
EPSS
0.4%
CVE-2023-35873 MEDIUM This Month

The Runtime Workbench (RWB) of SAP NetWeaver Process Integration - version SAP_XITOOL 7.50, does not perform authentication checks for certain functionalities that require user identity. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Authentication Bypass Netweaver Process Integration
NVD
CVSS 3.1
6.5
EPSS
0.6%
CVE-2023-35872 MEDIUM This Month

The Message Display Tool (MDT) of SAP NetWeaver Process Integration - version SAP_XIAF 7.50, does not perform authentication checks for certain functionalities that require user identity. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Authentication Bypass Netweaver Process Integration
NVD
CVSS 3.1
6.5
EPSS
0.6%
EPSS 0% CVSS 6.5
MEDIUM This Month

SAP Group Reporting Data Collection does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass SAP
NVD
EPSS 1% CVSS 7.2
HIGH This Week

SAP Asset Accounting could allow a high privileged attacker to exploit insufficient validation of path information provided by the users and pass it through to the file API's. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure SAP
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Self-Registration and Modify your own profile in User Admin Application of NetWeaver AS Java does not enforce proper security requirements for the content of the newly defined security answer. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Information Disclosure SAP
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

SAP NetWeaver application, due to insufficient input validation, allows an attacker to send a crafted request from a vulnerable web application targeting internal systems behind firewalls that are. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF SAP Netweaver
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Due to improper validation, SAP BusinessObject Business Intelligence Launch Pad allows an authenticated attacker to access operating system information using crafted document. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Permission Assignment vulnerability could allow attackers to access resources due to misconfigured permissions.

Information Disclosure SAP Businessobjects Web Intelligence
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Under certain conditions, Support Web Pages of SAP NetWeaver Process Integration (PI) - versions 7.50, allows an attacker to access information which would otherwise be restricted, causing low impact. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure SAP Netweaver Process Integration
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Applications based on SAP GUI for HTML in SAP NetWeaver AS ABAP - versions 7.89, 7.93, do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS SAP Netweaver As Abap
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Due to missing authorization check, attacker with business user account in SAP ABAP Platform - version 758, 795, can change the privacy setting of job templates from shared to private. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass SAP Abap Platform
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Under certain condition SAP NetWeaver (Enterprise Portal) - version 7.50 allows an attacker to access information which would otherwise be restricted causing low impact on confidentiality of the. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure SAP Netweaver Enterprise Portal
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Under certain conditions SAP NetWeaver WSRM - version 7.50, allows an attacker to access information which would otherwise be restricted, causing low impact on Confidentiality with no impact on. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure SAP Netweaver
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

SAP Fiori Front End Server - version 605, allows altering of approver details on the read-only field when sending leave request information. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass SAP Fiori Front End Server
NVD
EPSS 2% CVSS 9.1
CRITICAL Act Now

SAP NetWeaver Administrator AS Java (Administrator Log Viewer plug-in) - version 7.50, allows an attacker with high privileges to upload potentially dangerous files which leads to command injection. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Command Injection SAP +1
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The SAP Fiori app (My Overtime Request) - version 605, does not perform the necessary authorization checks for an authenticated user which may result in an escalation of privileges. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass SAP Fiori
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

SAP Master Data Governance for Material Data - versions 618, 619, 620, 621, 622, 800, 801, 802, 803, 804, does not perform necessary authorization check for an authenticated user, resulting in. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass SAP Master Data Governance For Material Data
NVD
EPSS 0% CVSS 7.6
HIGH This Week

SAP Companion - version <3.1.38, has a URL with parameter that could be vulnerable to XSS attack. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS SAP Companion
NVD
EPSS 1% CVSS 7.4
HIGH This Week

Due to improper validation of certificate in SAP Cloud Connector - version 2.0, attacker can impersonate the genuine servers to interact with SCC breaking the mutual authentication. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure SAP Cloud Connector
NVD
EPSS 1% CVSS 7.5
HIGH This Week

SAP NetWeaver AS Java (CAF - Guided Procedures) - version 7.50, allows an unauthenticated attacker to submit a malicious request with a crafted XML file over the network, which when parsed will. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java XXE SAP +1
NVD
EPSS 0% CVSS 4.1
MEDIUM This Month

SAP CRM WebClient UI - version S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, WEBCUIF 701, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800, WEBCUIF 801, does not sufficiently. Rated medium severity (CVSS 4.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS SAP Crm Webclient Ui
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

SAP NetWeaver Application Server (ABAP) - versions KERNEL 7.53, KERNEL 7.54, KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.93, KERNEL 7.94, KRNL64UC 7.53, under certain conditions, allows an. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure SAP Netweaver Application Server Abap
NVD
EPSS 0% CVSS 6.3
MEDIUM This Month

SAP Bank Account Management (BAM) allows an authenticated user with restricted access to use functions which can result in escalation of privileges with low impact on confidentiality, integrity and. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass SAP Bank Account Management
NVD
EPSS 0% CVSS 6.3
MEDIUM This Month

SAP IDES ECC-systems contain code that permits the execution of arbitrary program code of user's choice.An attacker can therefore control the behaviour of the system by executing malicious code which. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection SAP Ides Ecc
NVD
EPSS 1% CVSS 7.2
HIGH This Week

In SAP ABA (Application Basis) - versions 700, 701, 702, 731, 740, 750, 751, 752, 75C, 75I, an attacker authenticated as a user with a remote execution authorization can use a vulnerable interface. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection RCE SAP +1
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Print preview option in SAP CRM WebClient UI - versions S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, S4FND 107, S4FND 108, WEBCUIF 700, WEBCUIF 701, WEBCUIF 730, WEBCUIF 731, WEBCUIF 746,. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS SAP Crm Webclient Ui
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

SAP NWBC for HTML - versions SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, does not sufficiently encode user-controlled inputs, resulting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS SAP Netweaver Business Client For Html
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

The User Admin application of SAP NetWeaver AS for Java - version 7.50, insufficiently validates and improperly encodes the incoming URL parameters before including them into the redirect URL. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Java SAP +1
NVD
EPSS 1% CVSS 7.4
HIGH This Month

Under certain conditions the Microsoft Edge browser extension (SAP GUI connector for Microsoft Edge) - version 1.0, allows an attacker to access highly sensitive information which would otherwise be. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft SAP Information Disclosure +1
NVD
EPSS 0% CVSS 4.1
MEDIUM Monitor

Under certain conditions, Internet Communication Manager (ICM) or SAP Web Dispatcher - versions KERNEL 7.22, KERNEL 7.53, KERNEL 7.54, KRNL64UC 7.22, KRNL64UC 7.22EXT, KRNL64UC 7.53, KRNL64NUC 7.22,. Rated medium severity (CVSS 4.1). No vendor patch available.

SAP Information Disclosure Netweaver
NVD
EPSS 0% CVSS 4.1
MEDIUM Monitor

SAP NetWeaver ABAP Application Server and ABAP Platform do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. Rated medium severity (CVSS 4.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS SAP Netweaver Application Server Abap
NVD
EPSS 0% CVSS 8.4
HIGH This Month

In SAP Application Interface Framework File Adapter - version 702, a high privilege user can use a function module to traverse through various layers and execute OS commands directly. Rated high severity (CVSS 8.4), this vulnerability is low attack complexity. No vendor patch available.

SAP RCE Code Injection +1
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

SAP S/4HANA Finance for (Advanced Payment Management) - versions SAPSCORE 128, S4CORE 107, does not perform necessary authorization checks. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass SAP S 4Hana Finance
NVD
EPSS 0% CVSS 7.3
HIGH This Month

SAP LT Replication Server - version S4CORE 103, S4CORE 104, S4CORE 105, S4CORE 106, S4CORE 107, S4CORE 108, does not perform necessary authorization checks. Rated high severity (CVSS 7.3). No vendor patch available.

Authentication Bypass SAP Lt Replication Server
NVD
EPSS 0% CVSS 3.7
LOW Monitor

SAP Marketing (Contacts App) - version 160, allows an attacker with low privileges to trick a user to open malicious page which could lead to a very convincing phishing attack with low impact on. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable. No vendor patch available.

Open Redirect SAP Marketing
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

SAP BTP Security Services Integration Library ([Golang] github.com/sap/cloud-security-client-go) - versions < 0.17.0, allow under certain conditions an escalation of privileges. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Privilege Escalation Cloud Security Client Go
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

SAP BTP Security Services Integration Library ([Python] sap-xssec) - versions < 4.1.0, allow under certain conditions an escalation of privileges. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Python Privilege Escalation +1
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

SAP BTP Security Services Integration Library ([Java] cloud-security-services-integration-library) - versions below 2.17.0 and versions from 3.0.0 to before 3.3.0, allow under certain conditions an. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Privilege Escalation Cloud Security Services Integration Library
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM This Month

SAP Solution Manager - version 720, allows an authorized attacker to execute certain deprecated function modules which can read or modify data of same or other component without user interaction over. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Command Injection Solution Manager
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

SAP Fiori launchpad - versions SAP_UI 750, SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, UI_700 200, SAP_BASIS 793, allows an attacker to use HTTP verb POST on read-only service causing. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Information Disclosure Request Smuggling +1
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

SAP BTP Security Services Integration Library ([Node.js] @sap/xssec - versions < 3.6.0, allow under certain conditions an escalation of privileges. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Node.js Privilege Escalation +1
NVD
EPSS 1% CVSS 9.4
CRITICAL Act Now

SAP GUI for Windows and SAP GUI for Java allow an unauthenticated attacker to access information which would otherwise be restricted and confidential. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Java Microsoft +2
NVD
EPSS 0% CVSS 7.3
HIGH This Week

SAP GUI for Windows and SAP GUI for Java - versions SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, allow an unauthenticated attacker to access information which would otherwise be. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Java Information Disclosure +2
NVD
EPSS 0% CVSS 3.5
LOW Monitor

SAP Cloud Connector - version 2.0, allows an authenticated user with low privilege to perform Denial of service attack from adjacent UI by sending a malicious request which leads to low impact on the. Rated low severity (CVSS 3.5), this vulnerability is low attack complexity. No vendor patch available.

SAP Denial Of Service Cloud Connector
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

The SAP HCM (SMART PAYE solution) - versions S4HCMCIE 100, SAP_HRCIE 600, SAP_HRCIE 604, SAP_HRCIE 608, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP XSS Human Capital Management
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

SAP Master Data Governance File Upload application allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing ‘traverse to parent. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Path Traversal File Upload +1
NVD
EPSS 1% CVSS 8.1
HIGH This Week

In SAP Commerce Cloud - versions HY_COM 1905, HY_COM 2005, HY_COM2105, HY_COM 2011, HY_COM 2205, COM_CLOUD 2211, a locked B2B user can misuse the forgotten password functionality to un-block his user. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Information Disclosure Commerce Cloud
NVD
EPSS 1% CVSS 7.6
HIGH This Week

SAP Business Objects Business Intelligence Platform is vulnerable to stored XSS allowing an attacker to upload agnostic documents in the system which when opened by any other user could lead to high. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP XSS Business Objects Business Intelligence Platform
NVD
EPSS 1% CVSS 6.8
MEDIUM This Month

SAP Business Objects Web Intelligence - version 420, allows an authenticated attacker to inject JavaScript code into Web Intelligence documents which is then executed in the victim’s browser each. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP XSS Businessobjects Web Intelligence
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

The unauthenticated attacker in NetWeaver AS Java Logon application - version 7.50, can brute force the login functionality to identify the legitimate user ids. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Java Information Disclosure +1
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

Under certain condition SAP NetWeaver Application Server ABAP - versions KERNEL 722, KERNEL 7.53, KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.54, KERNEL 7.91, KERNEL 7.92, KERNEL 7.93, KERNEL. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Information Disclosure Netweaver Application Server Abap
NVD
EPSS 0% CVSS 8.0
HIGH This Week

SAP Business One installation - version 10.0, does not perform proper authentication and authorization checks for SMB shared folder. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. No vendor patch available.

SAP Authentication Bypass Business One
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

In SAP Enable Now - versions WPB_MANAGER 1.0, WPB_MANAGER_CE 10, WPB_MANAGER_HANA 10, ENABLE_NOW_CONSUMP_DEL 1704, the X-FRAME-OPTIONS response header is not implemented, allowing an unauthenticated. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP XSS Enable Now Enable Now Consump Del +3
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

SAP NetWeaver AS Java (GRMG Heartbeat application) - version 7.50, allows an attacker to send a crafted request from a vulnerable web application, causing limited impact on confidentiality and. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Java SSRF +1
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

SAP BusinessObjects Web Intelligence - version 420, has a URL with parameter that could be vulnerable to XSS attack. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP XSS Businessobjects Web Intelligence
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

SAP Business One (B1i) - version 10.0, allows an authorized attacker to retrieve the details stack trace of the fault message to conduct the XXE injection, which will lead to information disclosure. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Information Disclosure XXE +1
NVD
EPSS 1% CVSS 7.5
HIGH This Week

SAP PowerDesigner Client - version 16.7, does not sufficiently validate BPMN2 XML document imported from an untrusted source. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Information Disclosure Powerdesigner
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

SAP NetWeaver AS ABAP (applications based on Unified Rendering) - versions SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, SAP_BASIS 702, SAP_BASIS 731, allows an attacker to inject. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP XSS Netweaver Application Server Abap
NVD
EPSS 0% CVSS 7.1
HIGH This Week

SAP BusinessObjects Suite Installer - version 420, 430, allows an attacker within the network to create a directory under temporary directory and link it to a directory with operating system files. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Information Disclosure Businessobjects
NVD
EPSS 1% CVSS 9.9
CRITICAL Act Now

SAP BusinessObjects Business Intelligence Platform (Promotion Management) - versions 420, 430, under certain condition allows an authenticated attacker to view sensitive information which is. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Information Disclosure Businessobjects Business Intelligence
NVD
EPSS 1% CVSS 6.3
MEDIUM This Month

SAP PowerDesigner Client - version 16.7, allows an unauthenticated attacker to inject VBScript code in a document and have it opened by an unsuspecting user, to have it executed by the application on. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP RCE Code Injection +1
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

SAP CommonCryptoLib does not perform necessary authentication checks, which may result in missing or wrong authorization checks for an authenticated user, resulting in escalation of privileges. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Authentication Bypass Commoncryptolib +8
NVD
EPSS 1% CVSS 7.3
HIGH This Week

Due to insufficient file type validation, SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface) - version 420, allows a report creator to upload files from local system. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP File Upload Information Disclosure +1
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, 107, 108, allows an attacker to upload the XML file as an attachment. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP XXE S 4 Hana
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Due to missing authentication check in webdynpro application, an unauthorized user in SAP NetWeaver (Guided Procedures) - version 7.50, can gain access to admin view of specific function anonymously. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Authentication Bypass Netweaver
NVD
EPSS 1% CVSS 7.5
HIGH This Week

SAP CommonCryptoLib allows an unauthenticated attacker to craft a request, which when submitted to an open port causes a memory corruption error in a library which in turn causes the target component. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Buffer Overflow SAP +9
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Due to the lack of validation, SAP BusinessObjects Business Intelligence Platform (Version Management System) - version 403, permits an unauthenticated user to read the code snippet through the UI,. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Information Disclosure Businessobjects Business Intelligence
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

SAP S/4HANA Manage Catalog Items and Cross-Catalog searches Fiori apps allow an attacker to redirect users to a malicious site due to insufficient URL validation. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Open Redirect S 4Hana
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

In SAP BusinessObjects Business Intelligence - version 420, If a user logs in to a particular program, under certain specific conditions memory might not be cleared up properly, due to which attacker. Rated medium severity (CVSS 4.4). No vendor patch available.

SAP Information Disclosure Businessobjects Business Intelligence
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

SAP Commerce Cloud may accept an empty passphrase for user ID and passphrase authentication, allowing users to log into the system without a passphrase. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Information Disclosure Commerce Cloud +1
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

SAP business One allows - version 10.0, allows an attacker to insert malicious code into the content of a web page or application and gets it delivered to the client, resulting to Cross-site. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP XSS Business One
NVD
EPSS 0% CVSS 5.8
MEDIUM This Month

SAP Supplier Relationship Management -versions 600, 602, 603, 604, 605, 606, 616, 617, allows an unauthorized attacker to discover information relating to SRM within Vendor Master Data for Business. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Authentication Bypass Supplier Relationship Management
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

SAP NetWeaver Application Server ABAP and ABAP Platform - versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Authentication Bypass Netweaver Application Server Abap
NVD
EPSS 0% CVSS 8.8
HIGH This Week

The ACL (Access Control List) of SAP Message Server - versions KERNEL 7.22, KERNEL 7.53, KERNEL 7.54, KERNEL 7.77, RNL64UC 7.22, RNL64UC 7.22EXT, RNL64UC 7.53, KRNL64NUC 7.22, KRNL64NUC 7.22EXT, can. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Authentication Bypass Message Server
NVD
EPSS 0% CVSS 9.0
CRITICAL Act Now

SAP Business Objects Installer - versions 420, 430, allows an authenticated attacker within the network to overwrite an executable file created in a temporary directory during the installation. Rated critical severity (CVSS 9.0), this vulnerability is low attack complexity. No vendor patch available.

SAP Information Disclosure Businessobjects Business Intelligence
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

In SAP NetWeaver Process Integration - versions SAP_XIESR 7.50, SAP_XITOOL 7.50, SAP_XIAF 7.50, user-controlled inputs, if not sufficiently encoded, could result in Cross-Site Scripting (XSS) attack. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP XSS Netweaver Process Integration
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

SAP Business One (Service Layer) - version 10.0, allows an authenticated attacker with deep knowledge perform certain operation to access unintended data over the network which could lead to high. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable. No vendor patch available.

SAP Information Disclosure Business One
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Under certain conditions SAP Commerce (OCC API) - versions HY_COM 2105, HY_COM 2205, COM_CLOUD 2211, endpoints allow an attacker to access information which would otherwise be restricted. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Information Disclosure Commerce Cloud +1
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

SAP PowerDesigner - version 16.7, queries all password hashes in the backend database and compares it with the user provided one during login attempt, which might allow an attacker to access password. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Information Disclosure Powerdesigner
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

SAP PowerDesigner - version 16.7, has improper access control which might allow an unauthenticated attacker to run arbitrary queries against the back-end database via Proxy. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Authentication Bypass Powerdesigner
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Due to missing authentication check in SAP Host Agent - version 7.22, an unauthenticated attacker can set an undocumented parameter to a particular compatibility value and in turn call read. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Authentication Bypass Host Agent
NVD
EPSS 0% CVSS 7.8
HIGH This Week

SAP SQLA for PowerDesigner 17 bundled with SAP PowerDesigner 16.7 SP06 PL03, allows an attacker with local access to the system, to place a malicious library, that can be executed by the application. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

SAP RCE Code Injection +1
NVD
EPSS 0% CVSS 7.5
HIGH This Week

B1i module of SAP Business One - version 10.0, application allows an authenticated user with deep knowledge to send crafted queries over the network to read or modify the SQL data. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

SAP SQLi Business One
NVD
EPSS 1% CVSS 7.2
HIGH This Week

SAP Solution Manager (Diagnostics agent) - version 7.20, allows an unauthenticated attacker to blindly execute HTTP requests. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP SSRF Solution Manager
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

While using a specific function, SAP ERP Defense Forces and Public Security - versions 600, 603, 604, 605, 616, 617, 618, 802, 803, 804, 805, 806, 807, allows an authenticated attacker with admin. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Information Disclosure Erp Defense Forces And Public Security
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Due to programming error in function module and report, IS-OIL component in SAP ECC and SAP S/4HANA allows an authenticated attacker to inject an arbitrary operating system command into an. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Command Injection Netweaver
NVD
EPSS 1% CVSS 7.2
HIGH This Week

SAP Solution Manager (Diagnostics agent) - version 7.20, allows an attacker to tamper with headers in a client request. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Information Disclosure Solution Manager
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

In SAP Enable Now - versions WPB_MANAGER 1.0, WPB_MANAGER_CE 10, WPB_MANAGER_HANA 10, ENABLE_NOW_CONSUMP_DEL 1704, the Referrer-Policy response header is not implemented, allowing an unauthenticated. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Information Disclosure Enable Now
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

In SAP Enable Now - versions WPB_MANAGER 1.0, WPB_MANAGER_CE 10, WPB_MANAGER_HANA 10, ENABLE_NOW_CONSUMP_DEL 1704, the X-Content-Type-Options response header is not implemented, allowing an. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP XSS Enable Now
NVD
EPSS 1% CVSS 7.5
HIGH This Week

SAP BusinessObjects Business Intelligence Platform - version 420, 430, allows an unauthorized attacker who had hijacked a user session, to be able to bypass the victim’s old password via brute force,. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Authentication Bypass Businessobjects Business Intelligence
NVD
EPSS 0% CVSS 7.4
HIGH This Week

SAP NetWeaver Application Server ABAP and ABAP Platform - version KRNL64NUC, 7.22, KRNL64NUC 7.22EXT, KRNL64UC 7.22, KRNL64UC 7.22EXT, KRNL64UC 7.53, KERNEL 7.22, KERNEL, 7.53, KERNEL 7.77, KERNEL. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Authentication Bypass Netweaver Application Server Abap
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

The Runtime Workbench (RWB) of SAP NetWeaver Process Integration - version SAP_XITOOL 7.50, does not perform authentication checks for certain functionalities that require user identity. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Authentication Bypass Netweaver Process Integration
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

The Message Display Tool (MDT) of SAP NetWeaver Process Integration - version SAP_XIAF 7.50, does not perform authentication checks for certain functionalities that require user identity. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Authentication Bypass Netweaver Process Integration
NVD
Prev Page 5 of 19 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy