Sap Business One
by SAP
CVEs (15)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-42933 | Hig | 0.57 | 8.8 | 0.00 | Sep 9, 2025 | When a user logs in via SAP Business One native client, the SLD backend service fails to enforce proper encryption of certain APIs. This leads to exposure of sensitive credentials within http response body. As a result, it has a high impact on the confidentiality, integrity, and… | ||
| CVE-2025-42951 | Hig | 0.57 | 8.8 | 0.00 | Aug 12, 2025 | Due to broken authorization, SAP Business One (SLD) allows an authenticated attacker to gain administrator privileges of a database by invoking the corresponding API.�As a result , it has a high impact on the confidentiality, integrity, and availability of the application. | ||
| CVE-2018-2458 | Hig | 0.49 | 7.5 | 0.02 | Sep 11, 2018 | Under certain conditions, Crystal Report using SAP Business One, versions 9.2 and 9.3, connection type allows an attacker to access information which would otherwise be restricted. | ||
| CVE-2025-26658 | Med | 0.44 | 6.8 | 0.00 | Mar 11, 2025 | The Service Layer in SAP Business One, allows attackers to potentially gain unauthorized access and impersonate other users in the application to perform unauthorized actions. Due to the improper session management, the attackers can elevate themselves to higher privilege and… | ||
| CVE-2018-2410 | Med | 0.35 | 5.4 | 0.01 | Apr 10, 2018 | SAP Business One, 9.2, 9.3, browser access does not sufficiently encode user controlled inputs, which results in a Cross-Site Scripting (XSS) vulnerability. | ||
| CVE-2025-42897 | Med | 0.34 | 5.3 | 0.00 | Nov 11, 2025 | Due to information disclosure vulnerability in anonymous API provided by SAP Business One (SLD), an attacker with normal user access could gain access to unauthorized information. As a result, it has a low impact on the confidentiality of the application but no impact on the… | ||
| CVE-2026-24319 | 0.00 | — | 0.00 | Feb 10, 2026 | In SAP Business One, sensitive information is written to the application�s memory dump files without obfuscation. Gaining access to this information could potentially lead to unauthorized operations within the B1 environment, including modification of company data. This issue… | |||
| CVE-2023-31403 | 0.00 | — | 0.00 | Nov 14, 2023 | SAP Business One installation - version 10.0, does not perform proper authentication and authorization checks for SMB shared folder. As a result, any malicious user can read and write to the SMB shared folder. Additionally, the files in the folder can be executed or be used by… | |||
| CVE-2023-41365 | 0.00 | — | 0.00 | Oct 10, 2023 | SAP Business One (B1i) - version 10.0, allows an authorized attacker to retrieve the details stack trace of the fault message to conduct the XXE injection, which will lead to information disclosure. After successful exploitation, an attacker can cause limited impact on the… | |||
| CVE-2023-39437 | 0.00 | — | 0.00 | Aug 8, 2023 | SAP business One allows - version 10.0, allows an attacker to insert malicious code into the content of a web page or application and gets it delivered to the client, resulting to Cross-site scripting. This could lead to harmful action affecting the Confidentiality, Integrity… | |||
| CVE-2023-33993 | 0.00 | — | 0.00 | Aug 8, 2023 | B1i module of SAP Business One - version 10.0, application allows an authenticated user with deep knowledge to send crafted queries over the network to read or modify the SQL data. On successful exploitation, the attacker can cause high impact on confidentiality, integrity and… | |||
| CVE-2022-32249 | 0.00 | — | 0.01 | Jul 12, 2022 | Under special integration scenario of SAP Business one and SAP HANA - version 10.0, an attacker can exploit HANA cockpit�s data volume to gain access to highly sensitive information (e.g., high privileged account credentials) | |||
| CVE-2022-35168 | 0.00 | — | 0.01 | Jul 12, 2022 | Due to improper input sanitization of XML input in SAP Business One - version 10.0, an attacker can perform a denial-of-service attack rendering the system temporarily inoperative. | |||
| CVE-2021-42066 | 0.00 | — | 0.00 | Dec 14, 2021 | SAP Business One - version 10.0, allows an admin user to view DB password in plain text over the network, which should otherwise be encrypted. For an attacker to discover vulnerable function in-depth application knowledge is required, but once exploited the attacker may be able… | |||
| CVE-2021-33688 | 0.00 | — | 0.01 | Sep 14, 2021 | SAP Business One allows an attacker with business privileges to execute crafted database queries, exposing the back-end database. Due to framework restrictions, only some information can be obtained. |
- risk 0.57cvss 8.8epss 0.00
When a user logs in via SAP Business One native client, the SLD backend service fails to enforce proper encryption of certain APIs. This leads to exposure of sensitive credentials within http response body. As a result, it has a high impact on the confidentiality, integrity, and…
- risk 0.57cvss 8.8epss 0.00
Due to broken authorization, SAP Business One (SLD) allows an authenticated attacker to gain administrator privileges of a database by invoking the corresponding API.�As a result , it has a high impact on the confidentiality, integrity, and availability of the application.
- risk 0.49cvss 7.5epss 0.02
Under certain conditions, Crystal Report using SAP Business One, versions 9.2 and 9.3, connection type allows an attacker to access information which would otherwise be restricted.
- risk 0.44cvss 6.8epss 0.00
The Service Layer in SAP Business One, allows attackers to potentially gain unauthorized access and impersonate other users in the application to perform unauthorized actions. Due to the improper session management, the attackers can elevate themselves to higher privilege and…
- risk 0.35cvss 5.4epss 0.01
SAP Business One, 9.2, 9.3, browser access does not sufficiently encode user controlled inputs, which results in a Cross-Site Scripting (XSS) vulnerability.
- risk 0.34cvss 5.3epss 0.00
Due to information disclosure vulnerability in anonymous API provided by SAP Business One (SLD), an attacker with normal user access could gain access to unauthorized information. As a result, it has a low impact on the confidentiality of the application but no impact on the…
- CVE-2026-24319Feb 10, 2026risk 0.00cvss —epss 0.00
In SAP Business One, sensitive information is written to the application�s memory dump files without obfuscation. Gaining access to this information could potentially lead to unauthorized operations within the B1 environment, including modification of company data. This issue…
- CVE-2023-31403Nov 14, 2023risk 0.00cvss —epss 0.00
SAP Business One installation - version 10.0, does not perform proper authentication and authorization checks for SMB shared folder. As a result, any malicious user can read and write to the SMB shared folder. Additionally, the files in the folder can be executed or be used by…
- CVE-2023-41365Oct 10, 2023risk 0.00cvss —epss 0.00
SAP Business One (B1i) - version 10.0, allows an authorized attacker to retrieve the details stack trace of the fault message to conduct the XXE injection, which will lead to information disclosure. After successful exploitation, an attacker can cause limited impact on the…
- CVE-2023-39437Aug 8, 2023risk 0.00cvss —epss 0.00
SAP business One allows - version 10.0, allows an attacker to insert malicious code into the content of a web page or application and gets it delivered to the client, resulting to Cross-site scripting. This could lead to harmful action affecting the Confidentiality, Integrity…
- CVE-2023-33993Aug 8, 2023risk 0.00cvss —epss 0.00
B1i module of SAP Business One - version 10.0, application allows an authenticated user with deep knowledge to send crafted queries over the network to read or modify the SQL data. On successful exploitation, the attacker can cause high impact on confidentiality, integrity and…
- CVE-2022-32249Jul 12, 2022risk 0.00cvss —epss 0.01
Under special integration scenario of SAP Business one and SAP HANA - version 10.0, an attacker can exploit HANA cockpit�s data volume to gain access to highly sensitive information (e.g., high privileged account credentials)
- CVE-2022-35168Jul 12, 2022risk 0.00cvss —epss 0.01
Due to improper input sanitization of XML input in SAP Business One - version 10.0, an attacker can perform a denial-of-service attack rendering the system temporarily inoperative.
- CVE-2021-42066Dec 14, 2021risk 0.00cvss —epss 0.00
SAP Business One - version 10.0, allows an admin user to view DB password in plain text over the network, which should otherwise be encrypted. For an attacker to discover vulnerable function in-depth application knowledge is required, but once exploited the attacker may be able…
- CVE-2021-33688Sep 14, 2021risk 0.00cvss —epss 0.01
SAP Business One allows an attacker with business privileges to execute crafted database queries, exposing the back-end database. Due to framework restrictions, only some information can be obtained.