Filtered by vendor Sap
Subscriptions
Total
1535 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2015-2074 | 1 Sap | 1 Businessobjects Edge | 2024-11-21 | 7.5 High |
| The File Repository Server (FRS) CORBA listener in SAP BussinessObjects Edge 4.0 allows remote attackers to write to arbitrary files via a full pathname, aka SAP Note 2018681. | ||||
| CVE-2015-2073 | 1 Sap | 1 Businessobjects Edge | 2024-11-21 | 7.5 High |
| The File RepositoRy Server (FRS) CORBA listener in SAP BussinessObjects Edge 4.0 allows remote attackers to read arbitrary files via a full pathname, aka SAP Note 2018682. | ||||
| CVE-2014-9320 | 1 Sap | 1 Businessobjects Edge | 2024-11-21 | 9.8 Critical |
| SAP BusinessObjects Edge 4.1 allows remote attackers to obtain the SI_PLATFORM_SEARCH_SERVER_LOGON_TOKEN token and consequently gain SYSTEM privileges via vectors involving CORBA calls, aka SAP Note 2039905. | ||||
| CVE-2013-1593 | 1 Sap | 1 Netweaver | 2024-11-21 | 7.5 High |
| A Denial of Service vulnerability exists in the WRITE_C function in the msg_server.exe module in SAP NetWeaver 2004s, 7.01 SR1, 7.02 SP06, and 7.30 SP04 when sending a crafted SAP Message Server packet to TCP ports 36NN and/or 39NN. | ||||
| CVE-2013-1592 | 1 Sap | 1 Netweaver | 2024-11-21 | 9.8 Critical |
| A Buffer Overflow vulnerability exists in the Message Server service _MsJ2EE_AddStatistics() function when sending specially crafted SAP Message Server packets to remote TCP ports 36NN and/or 39NN in SAP NetWeaver 2004s, 7.01 SR1, 7.02 SP06, and 7.30 SP04, which could let a remote malicious user execute arbitrary code. | ||||
| CVE-2011-1517 | 1 Sap | 1 Netweaver | 2024-11-21 | 9.8 Critical |
| SAP NetWeaver 7.0 allows Remote Code Execution and Denial of Service caused by an error in the DiagTraceHex() function. By sending a specially-crafted packet, an attacker could exploit this vulnerability to cause the application to crash. | ||||
| CVE-2024-45282 | 1 Sap | 1 S\/4 Hana | 2024-11-14 | 4.3 Medium |
| Fields which are in 'read only' state in Bank Statement Draft in Manage Bank Statements application, could be modified by MERGE method. The property of an OData entity representing assumably immutable method is not protected against external modifications leading to integrity violations. Confidentiality and Availability are not impacted. | ||||
| CVE-2024-45277 | 2 Sap, Sap Se | 2 Hana-client, Sap Hana Client | 2024-11-14 | 4.3 Medium |
| The SAP HANA Node.js client package versions from 2.0.0 before 2.21.31 is impacted by Prototype Pollution vulnerability allowing an attacker to add arbitrary properties to global object prototypes. This is due to improper user input sanitation when using the nestTables feature causing low impact on the availability of the application. This has no impact on Confidentiality and Integrity. | ||||
| CVE-2024-37179 | 1 Sap | 1 Businessobjects Business Intelligence | 2024-11-14 | 7.7 High |
| SAP BusinessObjects Business Intelligence Platform allows an authenticated user to send a specially crafted request to the Web Intelligence Reporting Server to download any file from the machine hosting the service, causing high impact on confidentiality of the application. | ||||
| CVE-2024-45278 | 2 Sap, Sap Se | 2 Commerce Backoffice, Sap Commerce Backoffice | 2024-11-14 | 5.4 Medium |
| SAP Commerce Backoffice does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. After successful exploitation, an attacker can cause limited impact on confidentiality and integrity of the application. | ||||
| CVE-2024-47594 | 1 Sap | 1 Netweaver Enterprise Portal | 2024-11-14 | 5.4 Medium |
| SAP NetWeaver Enterprise Portal (KMC) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting vulnerability in KMC servlet. An attacker could craft a script and trick the user into clicking it. When a victim who is registered on the portal clicks on such link, confidentiality and integrity of their web browser session could be compromised. | ||||
| CVE-2024-47595 | 1 Sap | 1 Host Agent | 2024-11-14 | 6.3 Medium |
| An attacker who gains local membership to sapsys group could replace local files usually protected by privileged access. On successful exploitation the attacker could cause high impact on confidentiality and integrity of the application. | ||||
| CVE-2024-47586 | 1 Sap | 1 Netweaver Abap Application Server | 2024-11-12 | 5.3 Medium |
| SAP NetWeaver Application Server for ABAP and ABAP Platform allows an unauthenticated attacker to send a maliciously crafted http request which could cause a null pointer dereference in the kernel. This dereference will result in the system crashing and rebooting, causing the system to be temporarily unavailable. There is no impact on Confidentiality or Integrity. | ||||
| CVE-2024-47590 | 1 Sap | 1 Web Dispatcher | 2024-11-12 | 8.8 High |
| An unauthenticated attacker can create a malicious link which they can make publicly available. When an authenticated victim clicks on this malicious link, input data will be used by the web site page generation to create content which when executed in the victim's browser (XXS) or transmitted to another server (SSRF) gives the attacker the ability to execute arbitrary code on the server fully compromising confidentiality, integrity and availability. | ||||
| CVE-2024-47592 | 1 Sap | 1 Netweaver Application Server Java | 2024-11-12 | 5.3 Medium |
| SAP NetWeaver AS Java allows an unauthenticated attacker to brute force the login functionality in order to identify the legitimate user IDs. This has an impact on confidentiality but not on integrity or availability. | ||||
| CVE-2024-42372 | 1 Sap | 1 Netweaver System Landscape Directory | 2024-11-12 | 6.5 Medium |
| Due to missing authorization check in SAP NetWeaver AS Java (System Landscape Directory) an unauthorized user can read and modify some restricted global SLD configurations causing low impact on confidentiality and integrity of the application. | ||||
| CVE-2024-42374 | 2 Sap, Sap Se | 2 Bex Web Java Runtime Export Web Service, Bex Web Java Runtime Export Web Service | 2024-09-16 | 8.2 High |
| BEx Web Java Runtime Export Web Service does not sufficiently validate an XML document accepted from an untrusted source. An attacker can retrieve information from the SAP ADS system and exhaust the number of XMLForm service which makes the SAP ADS rendering (PDF creation) unavailable. This affects the confidentiality and availability of the application. | ||||
| CVE-2024-33003 | 1 Sap | 1 Commerce Cloud | 2024-09-16 | 7.4 High |
| Some OCC API endpoints in SAP Commerce Cloud allows Personally Identifiable Information (PII) data, such as passwords, email addresses, mobile numbers, coupon codes, and voucher codes, to be included in the request URL as query or path parameters. On successful exploitation, this could lead to a High impact on confidentiality and integrity of the application. | ||||
| CVE-2024-45281 | 1 Sap | 1 Business Objects Business Intelligence Platform | 2024-09-16 | 5.8 Medium |
| SAP BusinessObjects Business Intelligence Platform allows a high privilege user to run client desktop applications even if some of the DLLs are not digitally signed or if the signature is broken. The attacker needs to have local access to the vulnerable system to perform DLL related tasks. This could result in a high impact on confidentiality and integrity of the application. | ||||
| CVE-2024-44112 | 1 Sap | 1 Oil \%\/ Gas | 2024-09-16 | 4.3 Medium |
| Due to missing authorization check in SAP for Oil & Gas (Transportation and Distribution), an attacker authenticated as a non-administrative user could call a remote-enabled function which will allow them to delete non-sensitive entries in a user data table. There is no effect on confidentiality or availability. | ||||