VYPR

Vendor CVEs

SAP

All CVEs

1,818 total · sorted by risk
  • CVE-2024-22124Jan 9, 2024
    risk 0.00cvss epss 0.00

    Under certain conditions, Internet Communication Manager (ICM) or SAP Web Dispatcher - versions KERNEL 7.22, KERNEL 7.53, KERNEL 7.54, KRNL64UC 7.22, KRNL64UC 7.22EXT, KRNL64UC 7.53, KRNL64NUC 7.22, KRNL64NUC 7.22_EXT, WEBDISP 7.22_EXT, WEBDISP 7.53, WEBDISP 7.54, could allow…

  • CVE-2024-21738Jan 9, 2024
    risk 0.00cvss epss 0.00

    SAP NetWeaver ABAP Application Server and ABAP Platform do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. An attacker with low privileges can cause limited impact to confidentiality of the application data after successful…

  • CVE-2024-21737Jan 9, 2024
    risk 0.00cvss epss 0.01

    In SAP Application Interface Framework File Adapter - version 702, a high privilege user can use a function module to traverse through various layers and execute OS commands directly. By this, such user can control the behaviour of the application. This leads to considerable…

  • CVE-2024-21736Jan 9, 2024
    risk 0.00cvss epss 0.00

    SAP S/4HANA Finance for (Advanced Payment Management) - versions SAPSCORE 128, S4CORE 107, does not perform necessary authorization checks. A function import could be triggered allowing the attacker to create in-house bank accounts leading to low impact on the confidentiality of…

  • CVE-2024-21734Jan 9, 2024
    risk 0.00cvss epss 0.00

    SAP Marketing (Contacts App) - version 160, allows an attacker with low privileges to trick a user to open malicious page which could lead to a very convincing phishing attack with low impact on confidentiality and integrity of the application.

  • CVE-2023-50424Dec 12, 2023
    risk 0.00cvss epss 0.01

    SAP BTP Security Services Integration Library ([Golang] github.com/sap/cloud-security-client-go) - versions < 0.17.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the…

  • CVE-2023-50423Dec 12, 2023
    risk 0.00cvss epss 0.01

    SAP BTP Security Services Integration Library ([Python] sap-xssec) - versions < 4.1.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.

  • CVE-2023-6542Dec 12, 2023
    risk 0.00cvss epss 0.00

    Due to lack of proper authorization checks in Emarsys SDK for Android, an attacker can call a particular activity and can forward himself web pages and/or deep links without any validation directly from the host application. On successful attack, an attacker could navigate to…

  • CVE-2023-49587Dec 12, 2023
    risk 0.00cvss epss 0.00

    SAP Solution Manager - version 720, allows an authorized attacker to execute certain deprecated function modules which can read or modify data of same or other component without user interaction over the network.

  • CVE-2023-49584Dec 12, 2023
    risk 0.00cvss epss 0.00

    SAP Fiori launchpad - versions SAP_UI 750, SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, UI_700 200, SAP_BASIS 793, allows an attacker to use HTTP verb POST on read-only service causing low impact on Confidentiality of the application.

  • CVE-2023-50422Dec 12, 2023
    risk 0.00cvss epss 0.01

    SAP BTP Security Services Integration Library ([Java] cloud-security-services-integration-library) - versions below 2.17.0 and versions from 3.0.0 to before 3.3.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated…

  • CVE-2023-49583Dec 12, 2023
    risk 0.00cvss epss 0.01

    SAP BTP Security Services Integration Library ([Node.js] @sap/xssec - versions < 3.6.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.

  • CVE-2023-49581Dec 12, 2023
    risk 0.00cvss epss 0.01

    SAP GUI for Windows and SAP GUI for Java allow an unauthenticated attacker to access information which would otherwise be restricted and confidential. In addition, this vulnerability allows the unauthenticated attacker to write data to a database table. By doing so the…

  • CVE-2023-49580Dec 12, 2023
    risk 0.00cvss epss 0.00

    SAP GUI for Windows and SAP GUI for Java - versions SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, allow an unauthenticated attacker to access information which would otherwise be restricted and confidential. In addition, this vulnerability allows the…

  • CVE-2023-49578Dec 12, 2023
    risk 0.00cvss epss 0.00

    SAP Cloud Connector - version 2.0, allows an authenticated user with low privilege to perform Denial of service attack from adjacent UI by sending a malicious request which leads to low impact on the availability and no impact on confidentiality or Integrity  of the application.

  • CVE-2023-49577Dec 12, 2023
    risk 0.00cvss epss 0.00

    The SAP HCM (SMART PAYE solution) - versions S4HCMCIE 100, SAP_HRCIE 600, SAP_HRCIE 604, SAP_HRCIE 608, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. After successful exploitation, an attacker can cause limited impact…

  • CVE-2023-49058Dec 12, 2023
    risk 0.00cvss epss 0.01

    SAP Master Data Governance File Upload application allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing ‘traverse to parent directory’ are passed through to the file APIs. As a result, it has a low impact…

  • CVE-2023-42481Dec 12, 2023
    risk 0.00cvss epss 0.01

    In SAP Commerce Cloud - versions HY_COM 1905, HY_COM 2005, HY_COM2105, HY_COM 2011, HY_COM 2205, COM_CLOUD 2211, a locked B2B user can misuse the forgotten password functionality to un-block his user account again and re-gain access if SAP Commerce Cloud - Composable Storefront…

  • CVE-2023-42479Dec 12, 2023
    risk 0.00cvss epss 0.00

    An unauthenticated attacker can embed a hidden access to a Biller Direct URL in a frame which, when loaded by the user, will submit a cross-site scripting request to the Biller Direct system. This can result in the disclosure or modification of non-sensitive information.

  • CVE-2023-42478Dec 12, 2023
    risk 0.00cvss epss 0.01

    SAP Business Objects Business Intelligence Platform is vulnerable to stored XSS allowing an attacker to upload agnostic documents in the system which when opened by any other user could lead to high impact on integrity of the application.

  • CVE-2023-42476Dec 12, 2023
    risk 0.00cvss epss 0.01

    SAP Business Objects Web Intelligence - version 420, allows an authenticated attacker to inject JavaScript code into Web Intelligence documents which is then executed in the victim’s browser each time the vulnerable page is visited. Successful exploitation can lead to…

  • CVE-2023-42480Nov 14, 2023
    risk 0.00cvss epss 0.01

    The unauthenticated attacker in NetWeaver AS Java Logon application - version 7.50, can brute force the login functionality to identify the legitimate user ids. This will have an impact on confidentiality but there is no other impact on integrity or availability.

  • CVE-2023-41366Nov 14, 2023
    risk 0.00cvss epss 0.01

    Under certain condition SAP NetWeaver Application Server ABAP - versions KERNEL 722, KERNEL 7.53, KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.54, KERNEL 7.91, KERNEL 7.92, KERNEL 7.93, KERNEL 7.94, KERNEL64UC 7.22, KERNEL64UC 7.22EXT, KERNEL64UC 7.53, KERNEL64NUC 7.22,…

  • CVE-2023-31403Nov 14, 2023
    risk 0.00cvss epss 0.00

    SAP Business One installation - version 10.0, does not perform proper authentication and authorization checks for SMB shared folder. As a result, any malicious user can read and write to the SMB shared folder. Additionally, the files in the folder can be executed or be used by…

  • CVE-2023-36920Oct 30, 2023
    risk 0.00cvss epss 0.00

    In SAP Enable Now - versions WPB_MANAGER 1.0, WPB_MANAGER_CE 10, WPB_MANAGER_HANA 10, ENABLE_NOW_CONSUMP_DEL 1704, the X-FRAME-OPTIONS response header is not implemented, allowing an unauthenticated attacker to attempt clickjacking, which could result in disclosure or…

  • CVE-2023-42477Oct 10, 2023
    risk 0.00cvss epss 0.00

    SAP NetWeaver AS Java (GRMG Heartbeat application) - version 7.50, allows an attacker to send a crafted request from a vulnerable web application, causing limited impact on confidentiality and integrity of the application.

  • CVE-2023-42475Oct 10, 2023
    risk 0.00cvss epss 0.00

    The Statutory Reporting application has a vulnerable file storage location, potentially enabling low privileged attacker to read server files with minimal impact on confidentiality.

  • CVE-2023-42474Oct 10, 2023
    risk 0.00cvss epss 0.00

    SAP BusinessObjects Web Intelligence - version 420, has a URL with parameter that could be vulnerable to XSS attack. The attacker could send a malicious link to a user that would possibly allow an attacker to retrieve the sensitive information.

  • CVE-2023-42473Oct 10, 2023
    risk 0.00cvss epss 0.00

    S/4HANA Manage (Withholding Tax Items) - version 106, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges which has low impact on the confidentiality and integrity of the application.

  • CVE-2023-41365Oct 10, 2023
    risk 0.00cvss epss 0.00

    SAP Business One (B1i) - version 10.0, allows an authorized attacker to retrieve the details stack trace of the fault message to conduct the XXE injection, which will lead to information disclosure. After successful exploitation, an attacker can cause limited impact on the…

  • CVE-2023-40310Oct 10, 2023
    risk 0.00cvss epss 0.01

    SAP PowerDesigner Client - version 16.7, does not sufficiently validate BPMN2 XML document imported from an untrusted source. As a result, URLs of external entities in BPMN2 file, although not used, would be accessed during import. A successful attack could impact…

  • CVE-2023-40307Sep 28, 2023
    risk 0.00cvss epss 0.00

    An attacker with standard privileges on macOS when requesting administrator privileges from the application can submit input which causes a buffer overflow resulting in a crash of the application. This could make the application unavailable and allow reading or modification of…

  • CVE-2023-40309Sep 12, 2023
    risk 0.00cvss epss 0.01

    SAP CommonCryptoLib does not perform necessary authentication checks, which may result in missing or wrong authorization checks for an authenticated user, resulting in escalation of privileges. Depending on the application and the level of privileges acquired, an attacker could…

  • CVE-2023-40621Sep 12, 2023
    risk 0.00cvss epss 0.01

    SAP PowerDesigner Client - version 16.7, allows an unauthenticated attacker to inject VBScript code in a document and have it opened by an unsuspecting user, to have it executed by the application on behalf of the user. The application has a security option to disable or prompt…

  • CVE-2023-40622Sep 12, 2023
    risk 0.00cvss epss 0.01

    SAP BusinessObjects Business Intelligence Platform (Promotion Management) - versions 420, 430, under certain condition allows an authenticated attacker to view sensitive information which is otherwise restricted. On successful exploitation, the attacker can completely compromise…

  • CVE-2023-40623Sep 12, 2023
    risk 0.00cvss epss 0.00

    SAP BusinessObjects Suite Installer - version 420, 430, allows an attacker within the network to create a directory under temporary directory and link it to a directory with operating system files. On successful exploitation the attacker can delete all the operating system…

  • CVE-2023-40624Sep 12, 2023
    risk 0.00cvss epss 0.00

    SAP NetWeaver AS ABAP (applications based on Unified Rendering) - versions SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, SAP_BASIS 702, SAP_BASIS 731, allows an attacker to inject JavaScript code that can be executed in the web-application. An attacker could…

  • CVE-2023-40625Sep 12, 2023
    risk 0.00cvss epss 0.00

    S4CORE (Manage Purchase Contracts App) - versions 102, 103, 104, 105, 106, 107, does not perform necessary authorization checks for an authenticated user. This could allow an attacker to perform unintended actions resulting in escalation of privileges which has low impact on…

  • CVE-2023-41367Sep 12, 2023
    risk 0.00cvss epss 0.00

    Due to missing authentication check in webdynpro application, an unauthorized user in SAP NetWeaver (Guided Procedures) - version 7.50, can gain access to admin view of specific function anonymously. On successful exploitation of vulnerability under specific circumstances,…

  • CVE-2023-41368Sep 12, 2023
    risk 0.00cvss epss 0.00

    The OData service of the S4 HANA (Manage checkbook apps) - versions 102, 103, 104, 105, 106, 107, allows an attacker to change the checkbook name by simulating an update OData call.

  • CVE-2023-41369Sep 12, 2023
    risk 0.00cvss epss 0.00

    The Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, 107, 108, allows an attacker to upload the XML file as an attachment. When clicked on the XML file in the attachment section, the file gets opened in the browser to cause…

  • CVE-2023-42472Sep 12, 2023
    risk 0.00cvss epss 0.01

    Due to insufficient file type validation, SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface) - version 420, allows a report creator to upload files from local system into the report over the network. When uploading the image file, an…

  • CVE-2023-40308Sep 12, 2023
    risk 0.00cvss epss 0.01

    SAP CommonCryptoLib allows an unauthenticated attacker to craft a request, which when submitted to an open port causes a memory corruption error in a library which in turn causes the target component to crash making it unavailable. There is no ability to view or modify any…

  • CVE-2023-37489Sep 12, 2023
    risk 0.00cvss epss 0.00

    Due to the lack of validation, SAP BusinessObjects Business Intelligence Platform (Version Management System) - version 403, permits an unauthenticated user to read the code snippet through the UI, which leads to low impact on confidentiality and no impact on the application's…

  • CVE-2023-40306Sep 8, 2023
    risk 0.00cvss epss 0.00

    SAP S/4HANA Manage Catalog Items and Cross-Catalog searches Fiori apps allow an attacker to redirect users to a malicious site due to insufficient URL validation. As a result, it may have a slight impact on confidentiality and integrity.

  • CVE-2023-37486Aug 8, 2023
    risk 0.00cvss epss 0.00

    Under certain conditions SAP Commerce (OCC API) - versions HY_COM 2105, HY_COM 2205, COM_CLOUD 2211, endpoints allow an attacker to access information which would otherwise be restricted. On successful exploitation there could be a high impact on confidentiality with no impact…

  • CVE-2023-39440Aug 8, 2023
    risk 0.00cvss epss 0.00

    In SAP BusinessObjects Business Intelligence - version 420, If a user logs in to a particular program, under certain specific conditions memory might not be cleared up properly, due to which attacker might be able to get access to user credentials. For a successful attack, the…

  • CVE-2023-39439Aug 8, 2023
    risk 0.00cvss epss 0.01

    SAP Commerce Cloud may accept an empty passphrase for user ID and passphrase authentication, allowing users to log into the system without a passphrase.

  • CVE-2023-39437Aug 8, 2023
    risk 0.00cvss epss 0.00

    SAP business One allows - version 10.0, allows an attacker to insert malicious code into the content of a web page or application and gets it delivered to the client, resulting to Cross-site scripting. This could lead to harmful action affecting the Confidentiality, Integrity…

  • CVE-2023-39436Aug 8, 2023
    risk 0.00cvss epss 0.00

    SAP Supplier Relationship Management -versions 600, 602, 603, 604, 605, 606, 616, 617, allows an unauthorized attacker to discover information relating to SRM within Vendor Master Data for Business Partners replication functionality.This information could be used to allow the…

Page 15 of 37