Filtered by vendor Sap
Subscriptions
Total
1586 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-30011 | 1 Sap | 1 Supplier Relationship Management | 2025-10-23 | 5.3 Medium |
| The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to send an malicious request to the application, which could disclose the internal version details of the affected system. This vulnerability has low impact on confidentiality, with no effect on integrity and availability of the application. | ||||
| CVE-2025-30012 | 1 Sap | 1 Supplier Relationship Management | 2025-10-23 | 10 Critical |
| The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component, which allows an unauthenticated attacker to send malicious payload request in a specific encoding format. The servlet will then decode this malicious request which will result in deserialization of data in the application leading to execution of arbitrary OS command on target as SAP Administrator. This vulnerability has High impact on confidentiality, integrity, and availability of the application. | ||||
| CVE-2025-23192 | 1 Sap | 1 Businessobjects Business Intelligence | 2025-10-23 | 8.2 High |
| SAP BusinessObjects Business Intelligence (BI Workspace) allows an unauthenticated attacker to craft and store malicious script within a workspace. When the victim accesses the workspace, the script will execute in their browser enabling the attacker to potentially access sensitive session information, modify or make browser information unavailable. This leads to a high impact on confidentiality and low impact on integrity, availability. | ||||
| CVE-2025-42988 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2025-10-23 | 3.7 Low |
| Under certain conditions, SAP Business Objects Business Intelligence Platform allows an unauthenticated attacker to enumerate HTTP endpoints in the internal network by specially crafting HTTP requests. This disclosure of information could further enable the researcher to cause SSRF. It has no impact on integrity and availability of the application. | ||||
| CVE-2025-42911 | 1 Sap | 3 Netweaver, Sap Basis, Sap Netweaver | 2025-10-23 | 5 Medium |
| SAP NetWeaver (Service Data Download) allows an authenticated user to call a remote-enabled function module, which could grant access to information about the SAP system and operating system. This leads to a low impact on confidentiality, with no effect on the integrity and availability of the application | ||||
| CVE-2025-42918 | 1 Sap | 5 Application Server, Background Processing, Netweaver and 2 more | 2025-10-23 | 4.3 Medium |
| SAP NetWeaver Application Server for ABAP allows authenticated users with access to background processing to gain unauthorized read access to profile parameters. This results in a low impact on confidentiality, with no impact on integrity or availability | ||||
| CVE-2025-42926 | 1 Sap | 2 Netweaver Application Server Java, Sap Netweaver Application Server Java | 2025-10-23 | 5.3 Medium |
| SAP NetWeaver Application Server Java does not perform an authentication check when an attacker attempts to access internal files within the web application.Upon successfully exploitation, an unauthenticated attacker could access these files to gather additional sensitive information about the system.This vulnerability has a low impact on confidentiality and does not affect the integrity or availability of the server. | ||||
| CVE-2025-42936 | 1 Sap | 2 Netweaver Application Server For Abap, Sap Basis | 2025-10-23 | 5.4 Medium |
| The SAP NetWeaver Application Server for ABAP does not enable an administrator to assign distinguished authorizations for different user roles, this issue allows authenticated users to access restricted objects in the barcode interface, leading to privilege escalation. This results in a low impact on the confidentiality and integrity of the application, there is no impact on availability. | ||||
| CVE-2024-33004 | 2 Sap, Sap Se | 2 Businessobjects Business Intelligence Platform, Sap Business Objects Business Intgelligence Platform | 2025-10-23 | 4.3 Medium |
| SAP Business Objects Business Intelligence Platform is vulnerable to Insecure Storage as dynamic web pages are getting cached even after logging out. On successful exploitation, the attacker can see the sensitive information through cache and can open the pages causing limited impact on Confidentiality, Integrity and Availability of the application. | ||||
| CVE-2024-28165 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2025-10-23 | 8.1 High |
| SAP Business Objects Business Intelligence Platform is vulnerable to stored XSS allowing an attacker to manipulate a parameter in the Opendocument URL which could lead to high impact on Confidentiality and Integrity of the application | ||||
| CVE-2022-22536 | 1 Sap | 3 Content Server, Netweaver Application Server Abap, Web Dispatcher | 2025-10-22 | 9.8 Critical |
| SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation. An unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system. | ||||
| CVE-2021-38163 | 1 Sap | 1 Netweaver | 2025-10-22 | 9.9 Critical |
| SAP NetWeaver (Visual Composer 7.0 RT) versions - 7.30, 7.31, 7.40, 7.50, without restriction, an attacker authenticated as a non-administrative user can upload a malicious file over a network and trigger its processing, which is capable of running operating system commands with the privilege of the Java Server process. These commands can be used to read or modify any information on the server or shut the server down making it unavailable. | ||||
| CVE-2020-6287 | 1 Sap | 1 Netweaver Application Server Java | 2025-10-22 | 10.0 Critical |
| SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check. | ||||
| CVE-2020-6207 | 1 Sap | 1 Solution Manager | 2025-10-22 | 9.8 Critical |
| SAP Solution Manager (User Experience Monitoring), version- 7.2, due to Missing Authentication Check does not perform any authentication for a service resulting in complete compromise of all SMDAgents connected to the Solution Manager. | ||||
| CVE-2019-0344 | 1 Sap | 1 Commerce Cloud | 2025-10-22 | 9.8 Critical |
| Due to unsafe deserialization used in SAP Commerce Cloud (virtualjdbc extension), versions 6.4, 6.5, 6.6, 6.7, 1808, 1811, 1905, it is possible to execute arbitrary code on a target machine with 'Hybris' user rights, resulting in Code Injection. | ||||
| CVE-2018-2380 | 1 Sap | 1 Customer Relationship Management | 2025-10-22 | 6.6 Medium |
| SAP CRM, 7.01, 7.02,7.30, 7.31, 7.33, 7.54, allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing "traverse to parent directory" are passed through to the file APIs. | ||||
| CVE-2017-12637 | 1 Sap | 1 Netweaver Application Server Java | 2025-10-22 | 7.5 High |
| Directory traversal vulnerability in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS in SAP NetWeaver Application Server Java 7.5 allows remote attackers to read arbitrary files via a .. (dot dot) in the query string, as exploited in the wild in August 2017, aka SAP Security Note 2486657. | ||||
| CVE-2016-9563 | 1 Sap | 1 Netweaver Application Server Java | 2025-10-22 | 6.5 Medium |
| BC-BMT-BPM-DSK in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML External Entity (XXE) attacks via the sap.com~tc~bpem~him~uwlconn~provider~web/bpemuwlconn URI, aka SAP Security Note 2296909. | ||||
| CVE-2016-3976 | 1 Sap | 1 Netweaver Application Server Java | 2025-10-22 | 7.5 High |
| Directory traversal vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 allows remote attackers to read arbitrary files via a ..\ (dot dot backslash) in the fileName parameter to CrashFileDownloadServlet, aka SAP Security Note 2234971. | ||||
| CVE-2016-2388 | 1 Sap | 1 Netweaver Application Server Java | 2025-10-22 | 5.3 Medium |
| The Universal Worklist Configuration in SAP NetWeaver AS JAVA 7.4 allows remote attackers to obtain sensitive user information via a crafted HTTP request, aka SAP Security Note 2256846. | ||||