Vendor CVEs
SAP
All CVEs
1,818 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-42911 | 0.00 | — | 0.00 | Sep 9, 2025 | SAP NetWeaver (Service Data Download) allows an authenticated user to call a remote-enabled function module, which could grant access to information about the SAP system and operating system. This leads to a low impact on confidentiality, with no effect on the integrity and… | |||
| CVE-2025-42936 | 0.00 | — | 0.00 | Aug 12, 2025 | The SAP NetWeaver Application Server for ABAP does not enable an administrator to assign distinguished authorizations for different user roles, this issue allows authenticated users to access restricted objects in the barcode interface, leading to privilege escalation. This… | |||
| CVE-2025-42956 | 0.00 | — | 0.00 | Jul 8, 2025 | SAP NetWeaver Application Server ABAP and ABAP Platform allows an unauthenticated attacker to create a malicious link which they can make publicly available. When an authenticated victim clicks on this malicious link, injected input data will be used by the web site page… | |||
| CVE-2025-42986 | 0.00 | — | 0.00 | Jul 8, 2025 | Due to a missing authorization check in an obsolete RFC enabled function module in SAP BASIS, an authenticated low-privileged attacker could call a Remote Function Call (RFC), potentially accessing restricted system information. This results in low impact on confidentiality,… | |||
| CVE-2025-42968 | 0.00 | — | 0.00 | Jul 8, 2025 | SAP NetWeaver allows an authenticated non-administrative user to call the remote-enabled function module which could grants access to non-sensitive information about the SAP system and OS without requiring any specific knowledge or controlled conditions. This leads to a low… | |||
| CVE-2025-42988 | 0.00 | — | 0.00 | Jun 10, 2025 | Under certain conditions, SAP Business Objects Business Intelligence Platform allows an unauthenticated attacker to enumerate HTTP endpoints in the internal network by specially crafting HTTP requests. This disclosure of information could further enable the researcher to cause… | |||
| CVE-2025-23192 | 0.00 | — | 0.00 | Jun 10, 2025 | SAP BusinessObjects Business Intelligence (BI Workspace) allows an unauthenticated attacker to craft and store malicious script within a workspace. When the victim accesses the workspace, the script will execute in their browser enabling the attacker to potentially access… | |||
| CVE-2025-30018 | 0.00 | — | 0.00 | May 13, 2025 | The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) allows an unauthenticated attacker to submit an application servlet request with a crafted XML file which when parsed, enables the attacker to access sensitive files and data. This vulnerability has a high… | |||
| CVE-2025-30012 | 0.00 | — | 0.01 | May 13, 2025 | The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component, which allows an unauthenticated attacker to send malicious payload request in a specific encoding format. The servlet will then decode this malicious request which… | |||
| CVE-2025-30011 | 0.00 | — | 0.00 | May 13, 2025 | The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to send an malicious request to the application, which could disclose the internal version… | |||
| CVE-2025-30010 | 0.00 | — | 0.00 | May 13, 2025 | The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to craft a malicious link, which when clicked by a victim, redirects the browser to a… | |||
| CVE-2025-30009 | 0.00 | — | 0.00 | May 13, 2025 | he Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to execute malicious script in the victim�s browser. This vulnerability has low impact on… | |||
| CVE-2025-31332 | 0.00 | — | 0.00 | Apr 8, 2025 | Due to insecure file permissions in SAP BusinessObjects Business Intelligence Platform, an attacker who has local access to the system could modify files potentially disrupting operations or cause service downtime hence leading to a high impact on integrity and availability.… | |||
| CVE-2025-25245 | 0.00 | — | 0.00 | Mar 11, 2025 | SAP BusinessObjects Business Intelligence Platform (Web Intelligence) contains a deprecated web application endpoint that is not properly secured. An attacker could take advantage of this by injecting a malicious url in the data returned to the user. On successful exploitation,… | |||
| CVE-2025-23193 | 0.00 | — | 0.00 | Feb 11, 2025 | SAP NetWeaver Server ABAP allows an unauthenticated attacker to exploit a vulnerability that causes the server to respond differently based on the existence of a specified user, potentially revealing sensitive information. This issue does not enable data modification and has no… | |||
| CVE-2025-0064 | 0.00 | — | 0.00 | Feb 11, 2025 | Under specific conditions, the Central Management Console of the SAP BusinessObjects Business Intelligence platform allows an attacker with admin rights to generate or retrieve a secret passphrase, enabling them to impersonate any user in the system. This results in a high… | |||
| CVE-2025-0066 | 0.00 | — | 0.01 | Jan 14, 2025 | Under certain conditions SAP NetWeaver AS for ABAP and ABAP Platform (Internet Communication Framework) allows an attacker to access restricted information due to weak access controls. This can have a significant impact on the confidentiality, integrity, and availability of an… | |||
| CVE-2025-0063 | 0.00 | — | 0.01 | Jan 14, 2025 | SAP NetWeaver AS ABAP and ABAP Platform does not check for authorization when a user executes some RFC function modules. This could lead to an attacker with basic user privileges to gain control over the data in Informix database, leading to complete compromise of… | |||
| CVE-2025-0061 | 0.00 | — | 0.00 | Jan 14, 2025 | SAP BusinessObjects Business Intelligence Platform allows an unauthenticated attacker to perform session hijacking over the network without any user interaction, due to an information disclosure vulnerability. Attacker can access and modify all the data of the application. | |||
| CVE-2025-0060 | 0.00 | — | 0.00 | Jan 14, 2025 | SAP BusinessObjects Business Intelligence Platform allows an authenticated user with restricted access to inject malicious JS code which can read sensitive information from the server and send it to the attacker. The attacker could further use this information to impersonate as… | |||
| CVE-2025-0058 | 0.00 | — | 0.00 | Jan 14, 2025 | In SAP Business Workflow and SAP Flexible Workflow, an authenticated attacker can manipulate a parameter in an otherwise legitimate resource request to view sensitive information that should otherwise be restricted. The attacker does not have the ability to modify the… | |||
| CVE-2025-0053 | 0.00 | — | 0.00 | Jan 14, 2025 | SAP NetWeaver Application Server for ABAP and ABAP Platform allows an attacker to gain unauthorized access to system information. By using a specific URL parameter, an unauthenticated attacker could retrieve details such as system configuration. This has a limited impact on the… | |||
| CVE-2024-32732 | 0.00 | — | 0.00 | Dec 10, 2024 | Under certain conditions SAP BusinessObjects Business Intelligence platform allows an attacker to access information which would otherwise be restricted.This has low impact on Confidentiality with no impact on Integrity and Availability of the application. | |||
| CVE-2024-47595 | 0.00 | — | 0.00 | Nov 12, 2024 | An attacker who gains local membership to sapsys group could replace local files usually protected by privileged access. On successful exploitation the attacker could cause high impact on confidentiality and integrity of the application. | |||
| CVE-2024-47594 | 0.00 | — | 0.00 | Oct 8, 2024 | SAP NetWeaver Enterprise Portal (KMC) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting vulnerability in KMC servlet. An attacker could craft a script and trick the user into clicking it. When a victim who is registered on the portal clicks… | |||
| CVE-2024-45278 | 0.00 | — | 0.00 | Oct 8, 2024 | SAP Commerce Backoffice does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. After successful exploitation, an attacker can cause limited impact on confidentiality and integrity of the application. | |||
| CVE-2024-45277 | 0.00 | — | 0.01 | Oct 8, 2024 | The SAP HANA Node.js client package versions from 2.0.0 before 2.21.31 is impacted by Prototype Pollution vulnerability allowing an attacker to add arbitrary properties to global object prototypes. This is due to improper user input sanitation when using the nestTables feature… | |||
| CVE-2024-37179 | 0.00 | — | 0.00 | Oct 8, 2024 | SAP BusinessObjects Business Intelligence Platform allows an authenticated user to send a specially crafted request to the Web Intelligence Reporting Server to download any file from the machine hosting the service, causing high impact on confidentiality of the application. | |||
| CVE-2024-9322 | 0.00 | — | 0.00 | Sep 29, 2024 | A vulnerability was found in code-projects Supply Chain Management 1.0. It has been classified as critical. Affected is an unknown function of the file /admin/edit_manufacturer.php. The manipulation of the argument id leads to sql injection. It is possible to launch the attack… | |||
| CVE-2024-45281 | 0.00 | — | 0.00 | Sep 10, 2024 | SAP BusinessObjects Business Intelligence Platform allows a high privilege user to run client desktop applications even if some of the DLLs are not digitally signed or if the signature is broken. The attacker needs to have local access to the vulnerable system to perform DLL… | |||
| CVE-2024-44112 | 0.00 | — | 0.00 | Sep 10, 2024 | Due to missing authorization check in SAP for Oil & Gas (Transportation and Distribution), an attacker authenticated as a non-administrative user could call a remote-enabled function which will allow them to delete non-sensitive entries in a user data table. There is no effect… | |||
| CVE-2024-41728 | 0.00 | — | 0.00 | Sep 10, 2024 | Due to missing authorization check, SAP NetWeaver Application Server for ABAP and ABAP Platform allows an attacker logged in as a developer to read objects contained in a package. This causes an impact on confidentiality, as this attacker would otherwise not have access to view… | |||
| CVE-2024-44114 | 0.00 | — | 0.00 | Sep 10, 2024 | SAP NetWeaver Application Server for ABAP and ABAP Platform allow users with high privileges to execute a program that reveals data over the network. This results in a minimal impact on confidentiality of the application. | |||
| CVE-2024-39591 | 0.00 | — | 0.00 | Aug 13, 2024 | SAP Document Builder does not perform necessary authorization checks for one of the function modules resulting in escalation of privileges causing low impact on confidentiality of the application. | |||
| CVE-2024-42373 | 0.00 | — | 0.00 | Aug 13, 2024 | SAP Student Life Cycle Management (SLcM) fails to conduct proper authorization checks for authenticated users, leading to the potential escalation of privileges. On successful exploitation it could allow an attacker to delete non-sensitive report variants that are typically… | |||
| CVE-2024-41734 | 0.00 | — | 0.00 | Aug 13, 2024 | Due to missing authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform, an authenticated attacker could call an underlying transaction, which leads to disclosure of user related information. There is no impact on integrity or availability. | |||
| CVE-2024-41736 | 0.00 | — | 0.00 | Aug 13, 2024 | Under certain conditions SAP Permit to Work allows an authenticated attacker to access information which would otherwise be restricted causing low impact on the confidentiality of the application. | |||
| CVE-2024-41731 | 0.00 | — | 0.00 | Aug 13, 2024 | SAP BusinessObjects Business Intelligence Platform allows an authenticated attacker to upload malicious code over the network, that could be executed by the application. On successful exploitation, the attacker can cause a low impact on the Integrity of the application. | |||
| CVE-2024-28166 | 0.00 | — | 0.00 | Aug 13, 2024 | SAP BusinessObjects Business Intelligence Platform allows an authenticated attacker to upload malicious code over the network, that could be executed by the application. On successful exploitation, the attacker can cause a low impact on the Integrity of the application. | |||
| CVE-2024-42375 | 0.00 | — | 0.00 | Aug 13, 2024 | SAP BusinessObjects Business Intelligence Platform allows an authenticated attacker to upload malicious code over the network, that could be executed by the application. On successful exploitation, the attacker can cause a low impact on the Integrity of the application. | |||
| CVE-2024-41732 | 0.00 | — | 0.00 | Aug 13, 2024 | SAP NetWeaver Application Server ABAP allows an unauthenticated attacker to craft a URL link that could bypass allowlist controls. Depending on the web applications provided by this server, the attacker might inject CSS code or links into the web application that could … | |||
| CVE-2024-41737 | 0.00 | — | 0.00 | Aug 13, 2024 | SAP CRM ABAP (Insights Management) allows an authenticated attacker to enumerate HTTP endpoints in the internal network by specially crafting HTTP requests. On successful exploitation this can result in information disclosure. It has no impact on integrity and availability of… | |||
| CVE-2024-41733 | 0.00 | — | 0.00 | Aug 13, 2024 | In SAP Commerce, valid user accounts can be identified during the customer registration and login processes. This allows a potential attacker to learn if a given e-mail is used for an account, but does not grant access to any customer data beyond this knowledge. The attacker… | |||
| CVE-2024-41735 | 0.00 | — | 0.00 | Aug 13, 2024 | SAP Commerce Backoffice does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability causing low impact on confidentiality and integrity of the application. | |||
| CVE-2024-33005 | 0.00 | — | 0.00 | Aug 13, 2024 | Due to the missing authorization checks in the local systems, the admin users of SAP Web Dispatcher, SAP NetWeaver Application Server (ABAP and Java), and SAP Content Server can impersonate other users and may perform some unintended actions. This could lead to a low impact on… | |||
| CVE-2024-42377 | 0.00 | — | 0.00 | Aug 13, 2024 | SAP shared service framework allows an authenticated non-administrative user to call a remote-enabled function, which will allow them to insert value entries into a non-sensitive table, causing low impact on integrity of the application | |||
| CVE-2024-42376 | 0.00 | — | 0.00 | Aug 13, 2024 | SAP Shared Service Framework does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges. On successful exploitation, an attacker can cause a high impact on confidentiality of the application. | |||
| CVE-2024-33003 | 0.00 | — | 0.00 | Aug 13, 2024 | Some OCC API endpoints in SAP Commerce Cloud allows Personally Identifiable Information (PII) data, such as passwords, email addresses, mobile numbers, coupon codes, and voucher codes, to be included in the request URL as query or path parameters. On successful exploitation,… | |||
| CVE-2024-42374 | 0.00 | — | 0.01 | Aug 13, 2024 | BEx Web Java Runtime Export Web Service does not sufficiently validate an XML document accepted from an untrusted source. An attacker can retrieve information from the SAP ADS system and exhaust the number of XMLForm service which makes the SAP ADS rendering (PDF creation)… | |||
| CVE-2024-34692 | 0.00 | — | 0.00 | Jul 9, 2024 | Due to missing verification of file type or content, SAP Enable Now allows an authenticated attacker to upload arbitrary files. These files include executables which might be downloaded and executed by the user which could host malware. On successful exploitation an attacker can… |
- CVE-2025-42911Sep 9, 2025risk 0.00cvss —epss 0.00
SAP NetWeaver (Service Data Download) allows an authenticated user to call a remote-enabled function module, which could grant access to information about the SAP system and operating system. This leads to a low impact on confidentiality, with no effect on the integrity and…
- CVE-2025-42936Aug 12, 2025risk 0.00cvss —epss 0.00
The SAP NetWeaver Application Server for ABAP does not enable an administrator to assign distinguished authorizations for different user roles, this issue allows authenticated users to access restricted objects in the barcode interface, leading to privilege escalation. This…
- CVE-2025-42956Jul 8, 2025risk 0.00cvss —epss 0.00
SAP NetWeaver Application Server ABAP and ABAP Platform allows an unauthenticated attacker to create a malicious link which they can make publicly available. When an authenticated victim clicks on this malicious link, injected input data will be used by the web site page…
- CVE-2025-42986Jul 8, 2025risk 0.00cvss —epss 0.00
Due to a missing authorization check in an obsolete RFC enabled function module in SAP BASIS, an authenticated low-privileged attacker could call a Remote Function Call (RFC), potentially accessing restricted system information. This results in low impact on confidentiality,…
- CVE-2025-42968Jul 8, 2025risk 0.00cvss —epss 0.00
SAP NetWeaver allows an authenticated non-administrative user to call the remote-enabled function module which could grants access to non-sensitive information about the SAP system and OS without requiring any specific knowledge or controlled conditions. This leads to a low…
- CVE-2025-42988Jun 10, 2025risk 0.00cvss —epss 0.00
Under certain conditions, SAP Business Objects Business Intelligence Platform allows an unauthenticated attacker to enumerate HTTP endpoints in the internal network by specially crafting HTTP requests. This disclosure of information could further enable the researcher to cause…
- CVE-2025-23192Jun 10, 2025risk 0.00cvss —epss 0.00
SAP BusinessObjects Business Intelligence (BI Workspace) allows an unauthenticated attacker to craft and store malicious script within a workspace. When the victim accesses the workspace, the script will execute in their browser enabling the attacker to potentially access…
- CVE-2025-30018May 13, 2025risk 0.00cvss —epss 0.00
The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) allows an unauthenticated attacker to submit an application servlet request with a crafted XML file which when parsed, enables the attacker to access sensitive files and data. This vulnerability has a high…
- CVE-2025-30012May 13, 2025risk 0.00cvss —epss 0.01
The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component, which allows an unauthenticated attacker to send malicious payload request in a specific encoding format. The servlet will then decode this malicious request which…
- CVE-2025-30011May 13, 2025risk 0.00cvss —epss 0.00
The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to send an malicious request to the application, which could disclose the internal version…
- CVE-2025-30010May 13, 2025risk 0.00cvss —epss 0.00
The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to craft a malicious link, which when clicked by a victim, redirects the browser to a…
- CVE-2025-30009May 13, 2025risk 0.00cvss —epss 0.00
he Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to execute malicious script in the victim�s browser. This vulnerability has low impact on…
- CVE-2025-31332Apr 8, 2025risk 0.00cvss —epss 0.00
Due to insecure file permissions in SAP BusinessObjects Business Intelligence Platform, an attacker who has local access to the system could modify files potentially disrupting operations or cause service downtime hence leading to a high impact on integrity and availability.…
- CVE-2025-25245Mar 11, 2025risk 0.00cvss —epss 0.00
SAP BusinessObjects Business Intelligence Platform (Web Intelligence) contains a deprecated web application endpoint that is not properly secured. An attacker could take advantage of this by injecting a malicious url in the data returned to the user. On successful exploitation,…
- CVE-2025-23193Feb 11, 2025risk 0.00cvss —epss 0.00
SAP NetWeaver Server ABAP allows an unauthenticated attacker to exploit a vulnerability that causes the server to respond differently based on the existence of a specified user, potentially revealing sensitive information. This issue does not enable data modification and has no…
- CVE-2025-0064Feb 11, 2025risk 0.00cvss —epss 0.00
Under specific conditions, the Central Management Console of the SAP BusinessObjects Business Intelligence platform allows an attacker with admin rights to generate or retrieve a secret passphrase, enabling them to impersonate any user in the system. This results in a high…
- CVE-2025-0066Jan 14, 2025risk 0.00cvss —epss 0.01
Under certain conditions SAP NetWeaver AS for ABAP and ABAP Platform (Internet Communication Framework) allows an attacker to access restricted information due to weak access controls. This can have a significant impact on the confidentiality, integrity, and availability of an…
- CVE-2025-0063Jan 14, 2025risk 0.00cvss —epss 0.01
SAP NetWeaver AS ABAP and ABAP Platform does not check for authorization when a user executes some RFC function modules. This could lead to an attacker with basic user privileges to gain control over the data in Informix database, leading to complete compromise of…
- CVE-2025-0061Jan 14, 2025risk 0.00cvss —epss 0.00
SAP BusinessObjects Business Intelligence Platform allows an unauthenticated attacker to perform session hijacking over the network without any user interaction, due to an information disclosure vulnerability. Attacker can access and modify all the data of the application.
- CVE-2025-0060Jan 14, 2025risk 0.00cvss —epss 0.00
SAP BusinessObjects Business Intelligence Platform allows an authenticated user with restricted access to inject malicious JS code which can read sensitive information from the server and send it to the attacker. The attacker could further use this information to impersonate as…
- CVE-2025-0058Jan 14, 2025risk 0.00cvss —epss 0.00
In SAP Business Workflow and SAP Flexible Workflow, an authenticated attacker can manipulate a parameter in an otherwise legitimate resource request to view sensitive information that should otherwise be restricted. The attacker does not have the ability to modify the…
- CVE-2025-0053Jan 14, 2025risk 0.00cvss —epss 0.00
SAP NetWeaver Application Server for ABAP and ABAP Platform allows an attacker to gain unauthorized access to system information. By using a specific URL parameter, an unauthenticated attacker could retrieve details such as system configuration. This has a limited impact on the…
- CVE-2024-32732Dec 10, 2024risk 0.00cvss —epss 0.00
Under certain conditions SAP BusinessObjects Business Intelligence platform allows an attacker to access information which would otherwise be restricted.This has low impact on Confidentiality with no impact on Integrity and Availability of the application.
- CVE-2024-47595Nov 12, 2024risk 0.00cvss —epss 0.00
An attacker who gains local membership to sapsys group could replace local files usually protected by privileged access. On successful exploitation the attacker could cause high impact on confidentiality and integrity of the application.
- CVE-2024-47594Oct 8, 2024risk 0.00cvss —epss 0.00
SAP NetWeaver Enterprise Portal (KMC) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting vulnerability in KMC servlet. An attacker could craft a script and trick the user into clicking it. When a victim who is registered on the portal clicks…
- CVE-2024-45278Oct 8, 2024risk 0.00cvss —epss 0.00
SAP Commerce Backoffice does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. After successful exploitation, an attacker can cause limited impact on confidentiality and integrity of the application.
- CVE-2024-45277Oct 8, 2024risk 0.00cvss —epss 0.01
The SAP HANA Node.js client package versions from 2.0.0 before 2.21.31 is impacted by Prototype Pollution vulnerability allowing an attacker to add arbitrary properties to global object prototypes. This is due to improper user input sanitation when using the nestTables feature…
- CVE-2024-37179Oct 8, 2024risk 0.00cvss —epss 0.00
SAP BusinessObjects Business Intelligence Platform allows an authenticated user to send a specially crafted request to the Web Intelligence Reporting Server to download any file from the machine hosting the service, causing high impact on confidentiality of the application.
- CVE-2024-9322Sep 29, 2024risk 0.00cvss —epss 0.00
A vulnerability was found in code-projects Supply Chain Management 1.0. It has been classified as critical. Affected is an unknown function of the file /admin/edit_manufacturer.php. The manipulation of the argument id leads to sql injection. It is possible to launch the attack…
- CVE-2024-45281Sep 10, 2024risk 0.00cvss —epss 0.00
SAP BusinessObjects Business Intelligence Platform allows a high privilege user to run client desktop applications even if some of the DLLs are not digitally signed or if the signature is broken. The attacker needs to have local access to the vulnerable system to perform DLL…
- CVE-2024-44112Sep 10, 2024risk 0.00cvss —epss 0.00
Due to missing authorization check in SAP for Oil & Gas (Transportation and Distribution), an attacker authenticated as a non-administrative user could call a remote-enabled function which will allow them to delete non-sensitive entries in a user data table. There is no effect…
- CVE-2024-41728Sep 10, 2024risk 0.00cvss —epss 0.00
Due to missing authorization check, SAP NetWeaver Application Server for ABAP and ABAP Platform allows an attacker logged in as a developer to read objects contained in a package. This causes an impact on confidentiality, as this attacker would otherwise not have access to view…
- CVE-2024-44114Sep 10, 2024risk 0.00cvss —epss 0.00
SAP NetWeaver Application Server for ABAP and ABAP Platform allow users with high privileges to execute a program that reveals data over the network. This results in a minimal impact on confidentiality of the application.
- CVE-2024-39591Aug 13, 2024risk 0.00cvss —epss 0.00
SAP Document Builder does not perform necessary authorization checks for one of the function modules resulting in escalation of privileges causing low impact on confidentiality of the application.
- CVE-2024-42373Aug 13, 2024risk 0.00cvss —epss 0.00
SAP Student Life Cycle Management (SLcM) fails to conduct proper authorization checks for authenticated users, leading to the potential escalation of privileges. On successful exploitation it could allow an attacker to delete non-sensitive report variants that are typically…
- CVE-2024-41734Aug 13, 2024risk 0.00cvss —epss 0.00
Due to missing authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform, an authenticated attacker could call an underlying transaction, which leads to disclosure of user related information. There is no impact on integrity or availability.
- CVE-2024-41736Aug 13, 2024risk 0.00cvss —epss 0.00
Under certain conditions SAP Permit to Work allows an authenticated attacker to access information which would otherwise be restricted causing low impact on the confidentiality of the application.
- CVE-2024-41731Aug 13, 2024risk 0.00cvss —epss 0.00
SAP BusinessObjects Business Intelligence Platform allows an authenticated attacker to upload malicious code over the network, that could be executed by the application. On successful exploitation, the attacker can cause a low impact on the Integrity of the application.
- CVE-2024-28166Aug 13, 2024risk 0.00cvss —epss 0.00
SAP BusinessObjects Business Intelligence Platform allows an authenticated attacker to upload malicious code over the network, that could be executed by the application. On successful exploitation, the attacker can cause a low impact on the Integrity of the application.
- CVE-2024-42375Aug 13, 2024risk 0.00cvss —epss 0.00
SAP BusinessObjects Business Intelligence Platform allows an authenticated attacker to upload malicious code over the network, that could be executed by the application. On successful exploitation, the attacker can cause a low impact on the Integrity of the application.
- CVE-2024-41732Aug 13, 2024risk 0.00cvss —epss 0.00
SAP NetWeaver Application Server ABAP allows an unauthenticated attacker to craft a URL link that could bypass allowlist controls. Depending on the web applications provided by this server, the attacker might inject CSS code or links into the web application that could …
- CVE-2024-41737Aug 13, 2024risk 0.00cvss —epss 0.00
SAP CRM ABAP (Insights Management) allows an authenticated attacker to enumerate HTTP endpoints in the internal network by specially crafting HTTP requests. On successful exploitation this can result in information disclosure. It has no impact on integrity and availability of…
- CVE-2024-41733Aug 13, 2024risk 0.00cvss —epss 0.00
In SAP Commerce, valid user accounts can be identified during the customer registration and login processes. This allows a potential attacker to learn if a given e-mail is used for an account, but does not grant access to any customer data beyond this knowledge. The attacker…
- CVE-2024-41735Aug 13, 2024risk 0.00cvss —epss 0.00
SAP Commerce Backoffice does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability causing low impact on confidentiality and integrity of the application.
- CVE-2024-33005Aug 13, 2024risk 0.00cvss —epss 0.00
Due to the missing authorization checks in the local systems, the admin users of SAP Web Dispatcher, SAP NetWeaver Application Server (ABAP and Java), and SAP Content Server can impersonate other users and may perform some unintended actions. This could lead to a low impact on…
- CVE-2024-42377Aug 13, 2024risk 0.00cvss —epss 0.00
SAP shared service framework allows an authenticated non-administrative user to call a remote-enabled function, which will allow them to insert value entries into a non-sensitive table, causing low impact on integrity of the application
- CVE-2024-42376Aug 13, 2024risk 0.00cvss —epss 0.00
SAP Shared Service Framework does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges. On successful exploitation, an attacker can cause a high impact on confidentiality of the application.
- CVE-2024-33003Aug 13, 2024risk 0.00cvss —epss 0.00
Some OCC API endpoints in SAP Commerce Cloud allows Personally Identifiable Information (PII) data, such as passwords, email addresses, mobile numbers, coupon codes, and voucher codes, to be included in the request URL as query or path parameters. On successful exploitation,…
- CVE-2024-42374Aug 13, 2024risk 0.00cvss —epss 0.01
BEx Web Java Runtime Export Web Service does not sufficiently validate an XML document accepted from an untrusted source. An attacker can retrieve information from the SAP ADS system and exhaust the number of XMLForm service which makes the SAP ADS rendering (PDF creation)…
- CVE-2024-34692Jul 9, 2024risk 0.00cvss —epss 0.00
Due to missing verification of file type or content, SAP Enable Now allows an authenticated attacker to upload arbitrary files. These files include executables which might be downloaded and executed by the user which could host malware. On successful exploitation an attacker can…
Page 13 of 37