Filtered by vendor Sap
Subscriptions
Total
1502 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-27894 | 1 Sap | 1 Businessobjects Business Intelligence | 2025-02-27 | 5 Medium |
| SAP BusinessObjects Business Intelligence Platform (Web Services) - versions 420, 430, allows an attacker to inject arbitrary values as CMS parameters to perform lookups on the internal network which is otherwise not accessible externally. On successful exploitation, attacker can scan internal network to determine internal infrastructure for further attacks like remote file inclusion, retrieve server files, bypass firewall and force the vulnerable server to execute malicious requests, resulting in sensitive information disclosure. This causes limited impact on confidentiality of data. | ||||
| CVE-2023-27498 | 1 Sap | 1 Host Agent | 2025-02-27 | 7.2 High |
| SAP Host Agent (SAPOSCOL) - version 7.22, allows an unauthenticated attacker with network access to a server port assigned to the SAP Start Service to submit a crafted request which results in a memory corruption error. This error can be used to reveal but not modify any technical information about the server. It can also make a particular service temporarily unavailable | ||||
| CVE-2023-27501 | 1 Sap | 1 Netweaver Application Server Abap | 2025-02-27 | 8.7 High |
| SAP NetWeaver AS for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, allows an attacker to exploit insufficient validation of path information provided by users, thus exploiting a directory traversal flaw in an available service to delete system files. In this attack, no data can be read but potentially critical OS files can be deleted making the system unavailable, causing significant impact on both availability and integrity | ||||
| CVE-2023-27893 | 1 Sap | 1 Solution Manager | 2025-02-27 | 8.8 High |
| An attacker authenticated as a user with a non-administrative role and a common remote execution authorization in SAP Solution Manager and ABAP managed systems (ST-PI) - versions 2088_1_700, 2008_1_710, 740, can use a vulnerable interface to execute an application function to perform actions which they would not normally be permitted to perform. Depending on the function executed, the attack can read or modify any user or application data and can make the application unavailable. | ||||
| CVE-2023-27895 | 1 Sap | 1 Authenticator | 2025-02-27 | 6.1 Medium |
| SAP Authenticator for Android - version 1.3.0, allows the screen to be captured, if an authorized attacker installs a malicious app on the mobile device. The attacker could extract the currently views of the OTP and the secret OTP alphanumeric token during the token setup. On successful exploitation, an attacker can read some sensitive information but cannot modify and delete the data. | ||||
| CVE-2023-25618 | 1 Sap | 1 Netweaver Application Server Abap | 2025-02-27 | 6.5 Medium |
| SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, has multiple vulnerabilities in an unused class for error handling in which an attacker authenticated as a non-administrative user can craft a request with certain parameters which will consume the server's resources sufficiently to make it unavailable. There is no ability to view or modify any information. | ||||
| CVE-2023-26457 | 1 Sap | 1 Content Server | 2025-02-27 | 6.1 Medium |
| SAP Content Server - version 7.53, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. After successful exploitation, an attacker can read and modify some sensitive information but cannot delete the data. | ||||
| CVE-2023-26460 | 1 Sap | 1 Netweaver Application Server For Java | 2025-02-27 | 5.3 Medium |
| Cache Management Service in SAP NetWeaver Application Server for Java - version 7.50, does not perform any authentication checks for functionalities that require user identity | ||||
| CVE-2023-26461 | 1 Sap | 1 Netweaver Enterprise Portal | 2025-02-27 | 6.8 Medium |
| SAP NetWeaver allows (SAP Enterprise Portal) - version 7.50, allows an authenticated attacker with sufficient privileges to access the XML parser which can submit a crafted XML file which when parsed will enable them to access but not modify sensitive files and data. It allows the attacker to view sensitive data which is owned by certain privileges. | ||||
| CVE-2023-27268 | 1 Sap | 1 Netweaver Application Server For Java | 2025-02-27 | 5.3 Medium |
| SAP NetWeaver AS Java (Object Analyzing Service) - version 7.50, does not perform necessary authorization checks, allowing an unauthenticated attacker to attach to an open interface and make use of an open naming and directory API to access a service which will enable them to access but not modify server settings and data with no effect on availability., resulting in escalation of privileges. | ||||
| CVE-2023-27269 | 1 Sap | 1 Netweaver Application Server Abap | 2025-02-27 | 9.6 Critical |
| SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, allows an attacker with non-administrative authorizations to exploit a directory traversal flaw in an available service to overwrite the system files. In this attack, no data can be read but potentially critical OS files can be overwritten making the system unavailable. | ||||
| CVE-2023-27270 | 1 Sap | 1 Netweaver Application Server Abap | 2025-02-27 | 6.5 Medium |
| SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, has multiple vulnerabilities in a class for test purposes in which an attacker authenticated as a non-administrative user can craft a request with certain parameters, which will consume the server's resources sufficiently to make it unavailable. There is no ability to view or modify any information. | ||||
| CVE-2023-29187 | 1 Sap | 1 Sapsetup | 2025-02-26 | 6.7 Medium |
| A Windows user with basic user authorization can exploit a DLL hijacking attack in SapSetup (Software Installation Program) - version 9.0, resulting in a privilege escalation running code as administrator of the very same Windows PC. A successful attack depends on various preconditions beyond the attackers control. | ||||
| CVE-2024-22133 | 1 Sap | 1 Fiori Front End Server | 2025-02-26 | 4.6 Medium |
| SAP Fiori Front End Server - version 605, allows altering of approver details on the read-only field when sending leave request information. This could lead to creation of request with incorrect approver causing low impact on Confidentiality and Integrity with no impact on Availability of the application. | ||||
| CVE-2024-27902 | 1 Sap | 1 Netweaver As Abap | 2025-02-26 | 5.4 Medium |
| Applications based on SAP GUI for HTML in SAP NetWeaver AS ABAP - versions 7.89, 7.93, do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. A successful attack can allow a malicious attacker to access and modify data through their ability to execute code in a user’s browser. There is no impact on the availability of the system | ||||
| CVE-2023-29108 | 1 Sap | 2 Abap Platform Kernel, Web Dispatcher | 2025-02-12 | 5 Medium |
| The IP filter in ABAP Platform and SAP Web Dispatcher - versions WEBDISP 7.85, 7.89, KERNEL 7.85, 7.89, 7.91, may be vulnerable by erroneous IP netmask handling. This may enable access to backend applications from unwanted sources. | ||||
| CVE-2024-22126 | 1 Sap | 1 Netweaver Application Server Java | 2025-02-11 | 6.1 Medium |
| The User Admin application of SAP NetWeaver AS for Java - version 7.50, insufficiently validates and improperly encodes the incoming URL parameters before including them into the redirect URL. This results in Cross-Site Scripting (XSS) vulnerability, leading to a high impact on confidentiality and mild impact on integrity and availability. | ||||
| CVE-2023-24527 | 1 Sap | 1 Netweaver As Java For Deploy Service | 2025-02-07 | 5.3 Medium |
| SAP NetWeaver AS Java for Deploy Service - version 7.5, does not perform any access control checks for functionalities that require user identity enabling an unauthenticated attacker to attach to an open interface and make use of an open naming and directory API to access a service which will enable them to access but not modify server settings and data with no effect on availability and integrity. | ||||
| CVE-2023-1903 | 1 Sap | 1 Hcm Fiori App My Forms | 2025-02-07 | 4.3 Medium |
| SAP HCM Fiori App My Forms (Fiori 2.0) - version 605, does not perform necessary authorization checks for an authenticated user exposing the restricted header data. | ||||
| CVE-2023-26458 | 1 Sap | 1 Landscape Management | 2025-02-07 | 6.8 Medium |
| An information disclosure vulnerability exists in SAP Landscape Management - version 3.0, enterprise edition. It allows an authenticated SAP Landscape Management user to obtain privileged access to other systems making those other systems vulnerable to information disclosure and modification.The disclosed information is for Diagnostics Agent Connection via Java SCS Message Server of an SAP Solution Manager system and can only be accessed by authenticated SAP Landscape Management users, but they can escalate their privileges to the SAP Solution Manager system. | ||||