Filtered by vendor Sap
Subscriptions
Total
1502 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-50423 | 1 Sap | 1 Sap-xssec | 2024-11-21 | 9.1 Critical |
| SAP BTP Security Services Integration Library ([Python] sap-xssec) - versions < 4.1.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application. | ||||
| CVE-2023-50422 | 1 Sap | 1 Cloud-security-services-integration-library | 2024-11-21 | 9.1 Critical |
| SAP BTP Security Services Integration Library ([Java] cloud-security-services-integration-library) - versions below 2.17.0 and versions from 3.0.0 to before 3.3.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application. | ||||
| CVE-2023-49583 | 1 Sap | 1 \@sap\/xssec | 2024-11-21 | 9.1 Critical |
| SAP BTP Security Services Integration Library ([Node.js] @sap/xssec - versions < 3.6.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application. | ||||
| CVE-2023-49581 | 1 Sap | 1 Netweaver Application Server Abap | 2024-11-21 | 4.1 Medium |
| SAP GUI for Windows and SAP GUI for Java allow an unauthenticated attacker to access information which would otherwise be restricted and confidential. In addition, this vulnerability allows the unauthenticated attacker to write data to a database table. By doing so the attacker could increase response times of the AS ABAP, leading to mild impact on availability. | ||||
| CVE-2023-49580 | 1 Sap | 1 Graphical User Interface | 2024-11-21 | 7.3 High |
| SAP GUI for Windows and SAP GUI for Java - versions SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, allow an unauthenticated attacker to access information which would otherwise be restricted and confidential. In addition, this vulnerability allows the unauthenticated attacker to create Layout configurations of the ABAP List Viewer and with this causing a mild impact on integrity and availability, e.g. also increasing the response times of the AS ABAP. | ||||
| CVE-2023-49578 | 1 Sap | 1 Cloud Connector | 2024-11-21 | 3.5 Low |
| SAP Cloud Connector - version 2.0, allows an authenticated user with low privilege to perform Denial of service attack from adjacent UI by sending a malicious request which leads to low impact on the availability and no impact on confidentiality or Integrity of the application. | ||||
| CVE-2023-49577 | 1 Sap | 1 Human Capital Management | 2024-11-21 | 6.1 Medium |
| The SAP HCM (SMART PAYE solution) - versions S4HCMCIE 100, SAP_HRCIE 600, SAP_HRCIE 604, SAP_HRCIE 608, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. After successful exploitation, an attacker can cause limited impact on confidentiality and integrity of the application. | ||||
| CVE-2023-49058 | 1 Sap | 1 Master Data Governance | 2024-11-21 | 3.5 Low |
| SAP Master Data Governance File Upload application allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing ‘traverse to parent directory’ are passed through to the file APIs. As a result, it has a low impact to the confidentiality. | ||||
| CVE-2023-42481 | 1 Sap | 1 Commerce Cloud | 2024-11-21 | 8.1 High |
| In SAP Commerce Cloud - versions HY_COM 1905, HY_COM 2005, HY_COM2105, HY_COM 2011, HY_COM 2205, COM_CLOUD 2211, a locked B2B user can misuse the forgotten password functionality to un-block his user account again and re-gain access if SAP Commerce Cloud - Composable Storefront is used as storefront, due to weak access controls in place. This leads to a considerable impact on confidentiality and integrity. | ||||
| CVE-2023-42480 | 1 Sap | 1 Netweaver Application Server Java | 2024-11-21 | 5.3 Medium |
| The unauthenticated attacker in NetWeaver AS Java Logon application - version 7.50, can brute force the login functionality to identify the legitimate user ids. This will have an impact on confidentiality but there is no other impact on integrity or availability. | ||||
| CVE-2023-42478 | 1 Sap | 1 Business Objects Business Intelligence Platform | 2024-11-21 | 7.5 High |
| SAP Business Objects Business Intelligence Platform is vulnerable to stored XSS allowing an attacker to upload agnostic documents in the system which when opened by any other user could lead to high impact on integrity of the application. | ||||
| CVE-2023-42477 | 1 Sap | 1 Netweaver Application Server Java | 2024-11-21 | 6.5 Medium |
| SAP NetWeaver AS Java (GRMG Heartbeat application) - version 7.50, allows an attacker to send a crafted request from a vulnerable web application, causing limited impact on confidentiality and integrity of the application. | ||||
| CVE-2023-42476 | 1 Sap | 1 Businessobjects Web Intelligence | 2024-11-21 | 6.8 Medium |
| SAP Business Objects Web Intelligence - version 420, allows an authenticated attacker to inject JavaScript code into Web Intelligence documents which is then executed in the victim’s browser each time the vulnerable page is visited. Successful exploitation can lead to exposure of the data that the user has access to. In the worst case, attacker could access data from reporting databases. | ||||
| CVE-2023-42475 | 1 Sap | 1 S\/4hana | 2024-11-21 | 4.3 Medium |
| The Statutory Reporting application has a vulnerable file storage location, potentially enabling low privileged attacker to read server files with minimal impact on confidentiality. | ||||
| CVE-2023-42474 | 1 Sap | 1 Businessobjects Web Intelligence | 2024-11-21 | 6.8 Medium |
| SAP BusinessObjects Web Intelligence - version 420, has a URL with parameter that could be vulnerable to XSS attack. The attacker could send a malicious link to a user that would possibly allow an attacker to retrieve the sensitive information. | ||||
| CVE-2023-42472 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2024-11-21 | 8.7 High |
| Due to insufficient file type validation, SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface) - version 420, allows a report creator to upload files from local system into the report over the network. When uploading the image file, an authenticated attacker could intercept the request, modify the content type and the extension to read and modify sensitive data causing a high impact on confidentiality and integrity of the application. | ||||
| CVE-2023-41369 | 1 Sap | 1 S\/4 Hana | 2024-11-21 | 3.5 Low |
| The Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, 107, 108, allows an attacker to upload the XML file as an attachment. When clicked on the XML file in the attachment section, the file gets opened in the browser to cause the entity loops to slow down the browser. | ||||
| CVE-2023-41368 | 1 Sap | 1 S\/4 Hana | 2024-11-21 | 2.7 Low |
| The OData service of the S4 HANA (Manage checkbook apps) - versions 102, 103, 104, 105, 106, 107, allows an attacker to change the checkbook name by simulating an update OData call. | ||||
| CVE-2023-41367 | 1 Sap | 1 Netweaver | 2024-11-21 | 5.3 Medium |
| Due to missing authentication check in webdynpro application, an unauthorized user in SAP NetWeaver (Guided Procedures) - version 7.50, can gain access to admin view of specific function anonymously. On successful exploitation of vulnerability under specific circumstances, attacker can view user’s email address. There is no integrity/availability impact. | ||||
| CVE-2023-41366 | 1 Sap | 1 Netweaver Application Server Abap | 2024-11-21 | 5.3 Medium |
| Under certain condition SAP NetWeaver Application Server ABAP - versions KERNEL 722, KERNEL 7.53, KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.54, KERNEL 7.91, KERNEL 7.92, KERNEL 7.93, KERNEL 7.94, KERNEL64UC 7.22, KERNEL64UC 7.22EXT, KERNEL64UC 7.53, KERNEL64NUC 7.22, KERNEL64NUC 7.22EXT, allows an unauthenticated attacker to access the unintended data due to the lack of restrictions applied which may lead to low impact in confidentiality and no impact on the integrity and availability of the application. | ||||