Filtered by vendor Sap
Subscriptions
Total
1502 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-31403 | 1 Sap | 1 Business One | 2025-06-11 | 9.6 Critical |
| SAP Business One installation - version 10.0, does not perform proper authentication and authorization checks for SMB shared folder. As a result, any malicious user can read and write to the SMB shared folder. Additionally, the files in the folder can be executed or be used by the installation process leading to considerable impact on confidentiality, integrity and availability. | ||||
| CVE-2022-39801 | 1 Sap | 1 Access Control | 2025-06-10 | 7.5 High |
| SAP GRC Access control Emergency Access Management allows an authenticated attacker to access a Firefighter session even after it is closed in Firefighter Logon Pad. This attack can be launched only within the firewall. On successful exploitation the attacker can gain access to admin session and completely compromise the application. | ||||
| CVE-2022-39799 | 1 Sap | 1 Netweaver Application Server Abap | 2025-06-10 | 6.1 Medium |
| An attacker with no prior authentication could craft and send malicious script to SAP GUI for HTML within Fiori Launchpad, resulting in reflected cross-site scripting attack. This could lead to stealing session information and impersonating the affected user. | ||||
| CVE-2022-41201 | 1 Sap | 1 3d Visual Enterprise Viewer | 2025-06-05 | 7.8 High |
| Due to lack of proper memory management, when a victim opens a manipulated Right Hemisphere Binary (.rh, rh.x3d) file received from untrusted sources in SAP 3D Visual Enterprise Viewer - version 9, it is possible that a Remote Code Execution can be triggered when payload forces a stack-based overflow or a re-use of dangling pointer which refers to overwritten space in memory. | ||||
| CVE-2024-21737 | 1 Sap | 1 Application Interface Framework | 2025-06-03 | 8.4 High |
| In SAP Application Interface Framework File Adapter - version 702, a high privilege user can use a function module to traverse through various layers and execute OS commands directly. By this, such user can control the behaviour of the application. This leads to considerable impact on confidentiality, integrity and availability. | ||||
| CVE-2024-21738 | 1 Sap | 1 Netweaver Application Server Abap | 2025-06-03 | 4.1 Medium |
| SAP NetWeaver ABAP Application Server and ABAP Platform do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. An attacker with low privileges can cause limited impact to confidentiality of the application data after successful exploitation. | ||||
| CVE-2018-2398 | 1 Sap | 1 Business Client | 2025-05-27 | 7.5 High |
| Under certain conditions SAP Business Client 6.5 allows an attacker to access information which would otherwise be restricted. | ||||
| CVE-2020-6228 | 1 Sap | 1 Business Client | 2025-05-27 | 7.5 High |
| SAP Business Client, versions 6.5, 7.0, does not perform necessary integrity checks which could be exploited by an attacker under certain conditions to modify the installer. | ||||
| CVE-2020-6244 | 1 Sap | 1 Business Client | 2025-05-27 | 7.8 High |
| SAP Business Client, version 7.0, allows an attacker after a successful social engineering attack to inject malicious code as a DLL file in untrusted directories that can be executed by the application, due to uncontrolled search path element. An attacker could thereby control the behavior of the application. | ||||
| CVE-2021-38150 | 1 Sap | 1 Business Client | 2025-05-27 | 6.5 Medium |
| When an attacker manages to get access to the local memory, or the memory dump of a victim, for example by a social engineering attack, SAP Business Client versions - 7.0, 7.70, will allow him to read extremely sensitive data, such as credentials. This would allow the attacker to compromise the corresponding backend for which the credentials are valid. | ||||
| CVE-2023-49584 | 1 Sap | 1 Fiori Launchpad | 2025-05-24 | 4.3 Medium |
| SAP Fiori launchpad - versions SAP_UI 750, SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, UI_700 200, SAP_BASIS 793, allows an attacker to use HTTP verb POST on read-only service causing low impact on Confidentiality of the application. | ||||
| CVE-2022-41191 | 1 Sap | 1 3d Visual Enterprise Viewer | 2025-05-20 | 7.8 High |
| Due to lack of proper memory management, when a victim opens a manipulated Jupiter Tesselation (.jt, JTReader.x3d) file received from untrusted sources in SAP 3D Visual Enterprise Viewer - version 9, it is possible that a Remote Code Execution can be triggered when payload forces a stack-based overflow or a re-use of dangling pointer which refers to overwritten space in memory. | ||||
| CVE-2022-41204 | 1 Sap | 1 Commerce | 2025-05-20 | 8.8 High |
| An attacker can change the content of an SAP Commerce - versions 1905, 2005, 2105, 2011, 2205, login page through a manipulated URL. They can inject code that allows them to redirect submissions from the affected login form to their own server. This allows them to steal credentials and hijack accounts. A successful attack could compromise the Confidentiality, Integrity, and Availability of the system. | ||||
| CVE-2022-41209 | 1 Sap | 1 Customer Data Cloud | 2025-05-20 | 5.2 Medium |
| SAP Customer Data Cloud (Gigya mobile app for Android) - version 7.4, uses encryption method which lacks proper diffusion and does not hide the patterns well. This can lead to information disclosure. In certain scenarios, application might also be susceptible to replay attacks. | ||||
| CVE-2022-41206 | 1 Sap | 1 Businessobjects Business Intelligence | 2025-05-20 | 5.4 Medium |
| SAP BusinessObjects Business Intelligence platform (Analysis for OLAP) - versions 420, 430, allows an authenticated attacker to send user-controlled inputs when OLAP connections are created and edited in the Central Management Console. On successful exploitation, there could be a limited impact on confidentiality and integrity of the application. | ||||
| CVE-2022-41210 | 1 Sap | 1 Customer Data Cloud | 2025-05-20 | 5.2 Medium |
| SAP Customer Data Cloud (Gigya mobile app for Android) - version 7.4, uses insecure random number generator program which makes it easy for the attacker to predict future random numbers. This can lead to information disclosure and modification of certain user settings. | ||||
| CVE-2022-41202 | 1 Sap | 1 3d Visual Enterprise Viewer | 2025-05-20 | 7.8 High |
| Due to lack of proper memory management, when a victim opens a manipulated Visual Design Stream (.vds, vds.x3d) file received from untrusted sources in SAP 3D Visual Enterprise Viewer - version 9, it is possible that a Remote Code Execution can be triggered when payload forces a stack-based overflow or a re-use of dangling pointer which refers to overwritten space in memory. | ||||
| CVE-2022-41189 | 1 Sap | 1 3d Visual Enterprise Viewer | 2025-05-20 | 7.8 High |
| Due to lack of proper memory management, when a victim opens a manipulated AutoCAD (.dwg, TeighaTranslator.exe) file received from untrusted sources in SAP 3D Visual Enterprise Viewer - version 9, it is possible that a Remote Code Execution can be triggered when payload forces a stack-based overflow or a re-use of dangling pointer which refers to overwritten space in memory. | ||||
| CVE-2025-42999 | 1 Sap | 1 Netweaver | 2025-05-17 | 9.1 Critical |
| SAP NetWeaver Visual Composer Metadata Uploader is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system. | ||||
| CVE-2022-41199 | 1 Sap | 1 3d Visual Enterprise Viewer | 2025-05-15 | 7.8 High |
| Due to lack of proper memory management, when a victim opens a manipulated Open Inventor File (.iv, vrml.x3d) file received from untrusted sources in SAP 3D Visual Enterprise Viewer - version 9, it is possible that a Remote Code Execution can be triggered when payload forces a stack-based overflow or a re-use of dangling pointer which refers to overwritten space in memory. | ||||