VYPR

Sap Business One

by SAP

CVEs (15)

  • CVE-2025-42933HigSep 9, 2025
    risk 0.57cvss 8.8epss 0.00

    When a user logs in via SAP Business One native client, the SLD backend service fails to enforce proper encryption of certain APIs. This leads to exposure of sensitive credentials within http response body. As a result, it has a high impact on the confidentiality, integrity, and…

  • CVE-2025-42951HigAug 12, 2025
    risk 0.57cvss 8.8epss 0.00

    Due to broken authorization, SAP Business One (SLD) allows an authenticated attacker to gain administrator privileges of a database by invoking the corresponding API.�As a result , it has a high impact on the confidentiality, integrity, and availability of the application.

  • CVE-2018-2458HigSep 11, 2018
    risk 0.49cvss 7.5epss 0.02

    Under certain conditions, Crystal Report using SAP Business One, versions 9.2 and 9.3, connection type allows an attacker to access information which would otherwise be restricted.

  • CVE-2025-26658MedMar 11, 2025
    risk 0.44cvss 6.8epss 0.00

    The Service Layer in SAP Business One, allows attackers to potentially gain unauthorized access and impersonate other users in the application to perform unauthorized actions. Due to the improper session management, the attackers can elevate themselves to higher privilege and…

  • CVE-2018-2410MedApr 10, 2018
    risk 0.35cvss 5.4epss 0.01

    SAP Business One, 9.2, 9.3, browser access does not sufficiently encode user controlled inputs, which results in a Cross-Site Scripting (XSS) vulnerability.

  • CVE-2025-42897MedNov 11, 2025
    risk 0.34cvss 5.3epss 0.00

    Due to information disclosure vulnerability in anonymous API provided by SAP Business One (SLD), an attacker with normal user access could gain access to unauthorized information. As a result, it has a low impact on the confidentiality of the application but no impact on the…

  • CVE-2026-24319Feb 10, 2026
    risk 0.00cvss epss 0.00

    In SAP Business One, sensitive information is written to the application�s memory dump files without obfuscation. Gaining access to this information could potentially lead to unauthorized operations within the B1 environment, including modification of company data. This issue…

  • CVE-2023-31403Nov 14, 2023
    risk 0.00cvss epss 0.00

    SAP Business One installation - version 10.0, does not perform proper authentication and authorization checks for SMB shared folder. As a result, any malicious user can read and write to the SMB shared folder. Additionally, the files in the folder can be executed or be used by…

  • CVE-2023-41365Oct 10, 2023
    risk 0.00cvss epss 0.00

    SAP Business One (B1i) - version 10.0, allows an authorized attacker to retrieve the details stack trace of the fault message to conduct the XXE injection, which will lead to information disclosure. After successful exploitation, an attacker can cause limited impact on the…

  • CVE-2023-39437Aug 8, 2023
    risk 0.00cvss epss 0.00

    SAP business One allows - version 10.0, allows an attacker to insert malicious code into the content of a web page or application and gets it delivered to the client, resulting to Cross-site scripting. This could lead to harmful action affecting the Confidentiality, Integrity…

  • CVE-2023-33993Aug 8, 2023
    risk 0.00cvss epss 0.00

    B1i module of SAP Business One - version 10.0, application allows an authenticated user with deep knowledge to send crafted queries over the network to read or modify the SQL data. On successful exploitation, the attacker can cause high impact on confidentiality, integrity and…

  • CVE-2022-32249Jul 12, 2022
    risk 0.00cvss epss 0.01

    Under special integration scenario of SAP Business one and SAP HANA - version 10.0, an attacker can exploit HANA cockpit�s data volume to gain access to highly sensitive information (e.g., high privileged account credentials)

  • CVE-2022-35168Jul 12, 2022
    risk 0.00cvss epss 0.01

    Due to improper input sanitization of XML input in SAP Business One - version 10.0, an attacker can perform a denial-of-service attack rendering the system temporarily inoperative.

  • CVE-2021-42066Dec 14, 2021
    risk 0.00cvss epss 0.00

    SAP Business One - version 10.0, allows an admin user to view DB password in plain text over the network, which should otherwise be encrypted. For an attacker to discover vulnerable function in-depth application knowledge is required, but once exploited the attacker may be able…

  • CVE-2021-33688Sep 14, 2021
    risk 0.00cvss epss 0.01

    SAP Business One allows an attacker with business privileges to execute crafted database queries, exposing the back-end database. Due to framework restrictions, only some information can be obtained.