Vendor CVEs
SAP
All CVEs
1,818 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-44234 | 0.00 | — | 0.00 | Jan 14, 2022 | SAP Business One - version 10.0, extended log stores information that can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information. | |||
| CVE-2022-22530 | 0.00 | — | 0.01 | Jan 14, 2022 | The F0743 Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, does not check uploaded or downloaded files. This allows an attacker with basic user rights to inject dangerous content or malicious code which could result in critical… | |||
| CVE-2021-42061 | 0.00 | — | 0.00 | Dec 14, 2021 | SAP BusinessObjects Business Intelligence Platform (Web Intelligence) - version 420, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. This allows a low privileged attacker to retrieve some data from the victim but will… | |||
| CVE-2021-42068 | 0.00 | — | 0.01 | Dec 14, 2021 | When a user opens a manipulated GIF (.gif) file received from untrusted sources in SAP 3D Visual Enterprise Viewer - version 9.0, the application crashes and becomes temporarily unavailable to the user until restart of the application. | |||
| CVE-2021-42070 | 0.00 | — | 0.01 | Dec 14, 2021 | When a user opens manipulated Jupiter Tessellation (.jt) file received from untrusted sources in SAP 3D Visual Enterprise Viewer - version 9.0, the application crashes and becomes temporarily unavailable to the user until restart of the application | |||
| CVE-2021-42069 | 0.00 | — | 0.01 | Dec 14, 2021 | When a user opens manipulated Tagged Image File Format (.tif) file received from untrusted sources in SAP 3D Visual Enterprise Viewer - version 9.0, the application crashes and becomes temporarily unavailable to the user until restart of the application | |||
| CVE-2021-42066 | 0.00 | — | 0.00 | Dec 14, 2021 | SAP Business One - version 10.0, allows an admin user to view DB password in plain text over the network, which should otherwise be encrypted. For an attacker to discover vulnerable function in-depth application knowledge is required, but once exploited the attacker may be able… | |||
| CVE-2021-44232 | 0.00 | — | 0.01 | Dec 14, 2021 | SAF-T Framework Transaction SAFTN_G allows an attacker to exploit insufficient validation of path information provided by normal user, leading to full server directory access. The attacker can see the whole filesystem structure but cannot overwrite, delete, or corrupt arbitrary… | |||
| CVE-2021-44235 | 0.00 | — | 0.00 | Dec 14, 2021 | Two methods of a utility class in SAP NetWeaver AS ABAP - versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, allow an attacker with high privileges and has direct access to SAP System, to inject code when executing with a certain transaction… | |||
| CVE-2021-42062 | 0.00 | — | 0.01 | Nov 10, 2021 | SAP ERP HCM Portugal does not perform necessary authorization checks for a report that reads the payroll data of employees in a certain area. Since the affected report only reads the payroll information, the attacker can neither modify any information nor cause availability… | |||
| CVE-2021-40504 | 0.00 | — | 0.01 | Nov 10, 2021 | A certain template role in SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, contains transport authorizations, which exceed expected display only permissions. | |||
| CVE-2021-40503 | 0.00 | — | 0.00 | Nov 10, 2021 | An information disclosure vulnerability exists in SAP GUI for Windows - versions < 7.60 PL13, 7.70 PL4, which allows an attacker with sufficient privileges on the local client-side PC to obtain an equivalent of the user’s password. With this highly sensitive data leaked, the… | |||
| CVE-2021-40501 | 0.00 | — | 0.01 | Nov 10, 2021 | SAP ABAP Platform Kernel - versions 7.77, 7.81, 7.85, 7.86, does not perform necessary authorization checks for an authenticated business user, resulting in escalation of privileges. That means this business user is able to read and modify data beyond the vulnerable system.… | |||
| CVE-2021-40500 | 0.00 | — | 0.01 | Oct 12, 2021 | SAP BusinessObjects Business Intelligence Platform (Crystal Reports) - versions 420, 430, allows an unauthenticated attacker to exploit missing XML validations at endpoints to read sensitive data. These endpoints are normally exposed over the network and successful exploitation… | |||
| CVE-2021-40498 | 0.00 | — | 0.00 | Oct 12, 2021 | A vulnerability has been identified in SAP SuccessFactors Mobile Application for Android - versions older than 2108, which allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service, which can lead to denial of service.… | |||
| CVE-2021-38183 | 0.00 | — | 0.01 | Oct 12, 2021 | SAP NetWeaver - versions 700, 701, 702, 730, does not sufficiently encode user-controlled inputs, allowing an attacker to cause a potential victim to supply a malicious content to a vulnerable web application, which is then reflected to the victim and executed by the web… | |||
| CVE-2021-40499 | 0.00 | — | 0.01 | Oct 12, 2021 | Client-side printing services SAP Cloud Print Manager and SAPSprint for SAP NetWeaver Application Server for ABAP - versions 7.70, 7.70 PI, 7.70 BYD, allow an attacker to inject code that can be executed by the application. An attacker could thereby control the behavior of the… | |||
| CVE-2021-40496 | 0.00 | — | 0.01 | Oct 12, 2021 | SAP Internet Communication framework (ICM) - versions 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 785, allows an attacker with logon functionality, to exploit the authentication function by using POST and form field to repeat executions of the initial… | |||
| CVE-2021-38180 | 0.00 | — | 0.02 | Oct 12, 2021 | SAP Business One - version 10.0, allows an attacker to inject formulas when exporting data to Excel (CSV injection) due to improper sanitation during the data export. An attacker could thereby execute arbitrary commands on the victim's computer but only if the victim allows to… | |||
| CVE-2021-38178 | 0.00 | — | 0.01 | Oct 12, 2021 | The software logistics system of SAP NetWeaver AS ABAP and ABAP Platform versions - 700, 701, 702, 710, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, enables a malicious user to transfer ABAP code artifacts or content, by-passing the established quality gates. By this… | |||
| CVE-2021-40497 | 0.00 | — | 0.01 | Oct 12, 2021 | SAP BusinessObjects Analysis (edition for OLAP) - versions 420, 430, allows an attacker to exploit certain application endpoints to read sensitive data. These endpoints are normally exposed over the network and successful exploitation could lead to exposure of some system… | |||
| CVE-2021-40495 | 0.00 | — | 0.01 | Oct 12, 2021 | There are multiple Denial-of Service vulnerabilities in SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 740, 750, 751, 752, 753, 754, 755. An unauthorized attacker can use the public SICF service /sap/public/bc/abap to reduce the performance of SAP… | |||
| CVE-2021-38181 | 0.00 | — | 0.01 | Oct 12, 2021 | SAP NetWeaver AS ABAP and ABAP Platform - versions 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service. | |||
| CVE-2021-38179 | 0.00 | — | 0.01 | Oct 12, 2021 | Debug function of Admin UI of SAP Business One Integration is enabled by default. This allows Admin User to see the captured packet contents which may include User credentials. | |||
| CVE-2021-33704 | 0.00 | — | 0.01 | Sep 15, 2021 | The Service Layer of SAP Business One, version - 10.0, allows an authenticated attacker to invoke certain functions that would otherwise be restricted to specific users. For an attacker to discover the vulnerable function, no in-depth system knowledge is required. Once exploited… | |||
| CVE-2021-33701 | 0.00 | — | 0.02 | Sep 15, 2021 | DMIS Mobile Plug-In or SAP S/4HANA, versions - DMIS 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 710, 2011_1_731, 710, 2011_1_752, 2020, SAPSCORE 125, S4CORE 102, 102, 103, 104, 105, allows an attacker with access to highly privileged account to execute… | |||
| CVE-2021-33698 | 0.00 | — | 0.01 | Sep 15, 2021 | SAP Business One, version - 10.0, allows an attacker with business authorization to upload any files (including script files) without the proper file format validation. | |||
| CVE-2021-33705 | 0.00 | — | 0.02 | Sep 15, 2021 | The SAP NetWeaver Portal, versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, component Iviews Editor contains a Server-Side Request Forgery (SSRF) vulnerability which allows an unauthenticated attacker to craft a malicious URL which when clicked by a user can make any type of… | |||
| CVE-2021-33700 | 0.00 | — | 0.00 | Sep 15, 2021 | SAP Business One, version - 10.0, allows a local attacker with access to the victim's browser under certain circumstances, to login as the victim without knowing his/her password. The attacker could so obtain highly sensitive information which the attacker could use to take… | |||
| CVE-2021-33694 | 0.00 | — | 0.00 | Sep 15, 2021 | SAP Cloud Connector, version - 2.0, does not sufficiently encode user-controlled inputs, allowing an attacker with Administrator rights, to include malicious codes that get stored in the database, and when accessed, could be executed in the application, resulting in Stored… | |||
| CVE-2021-33691 | 0.00 | — | 0.01 | Sep 15, 2021 | NWDI Notification Service versions - 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.SAP NetWeaver Development Infrastructure Notification Service allows a threat actor to send crafted scripts to a… | |||
| CVE-2021-33693 | 0.00 | — | 0.01 | Sep 15, 2021 | SAP Cloud Connector, version - 2.0, allows an authenticated administrator to modify a configuration file to inject malicious codes that could potentially lead to OS command execution. | |||
| CVE-2021-33697 | 0.00 | — | 0.01 | Sep 15, 2021 | Under certain conditions, SAP BusinessObjects Business Intelligence Platform (SAPUI5), versions - 420, 430, can allow an unauthenticated attacker to redirect users to a malicious site due to Reverse Tabnabbing vulnerabilities. | |||
| CVE-2021-33695 | 0.00 | — | 0.01 | Sep 15, 2021 | Potentially, SAP Cloud Connector, version - 2.0 communication with the backend is accepted without sufficient validation of the certificate. | |||
| CVE-2021-33692 | 0.00 | — | 0.01 | Sep 15, 2021 | SAP Cloud Connector, version - 2.0, allows the upload of zip files as backup. This backup file can be tricked to inject special elements such as '..' and '/' separators, for attackers to escape outside of the restricted location to access files or directories. | |||
| CVE-2021-33696 | 0.00 | — | 0.00 | Sep 15, 2021 | SAP BusinessObjects Business Intelligence Platform (Crystal Report), versions - 420, 430, does not sufficiently encode user controlled inputs and therefore an authorized attacker can exploit a XSS vulnerability, leading to non-permanently deface or modify displayed content from… | |||
| CVE-2021-38174 | 0.00 | — | 0.01 | Sep 14, 2021 | When a user opens manipulated files received from untrusted sources in SAP 3D Visual Enterprise Viewer version - 9, the application crashes and becomes temporarily unavailable to the user until restart of the application. | |||
| CVE-2021-33688 | 0.00 | — | 0.01 | Sep 14, 2021 | SAP Business One allows an attacker with business privileges to execute crafted database queries, exposing the back-end database. Due to framework restrictions, only some information can be obtained. | |||
| CVE-2021-33686 | 0.00 | — | 0.01 | Sep 14, 2021 | Under certain conditions, SAP Business One version - 10.0, allows an unauthorized attacker to get access to some encrypted sensitive information, but does not have control over kind or degree. | |||
| CVE-2021-38177 | 0.00 | — | 0.03 | Sep 14, 2021 | SAP CommonCryptoLib version 8.5.38 or lower is vulnerable to null pointer dereference vulnerability when an unauthenticated attacker sends crafted malicious data in the HTTP requests over the network, this causes the SAP application to crash and has high impact on the… | |||
| CVE-2021-33685 | 0.00 | — | 0.01 | Sep 14, 2021 | SAP Business One version - 10.0 allows low-level authorized attacker to traverse the file system to access files or directories that are outside of the restricted directory. A successful attack allows access to high level sensitive data | |||
| CVE-2021-33672 | 0.00 | — | 0.01 | Sep 14, 2021 | Due to missing encoding in SAP Contact Center's Communication Desktop component- version 700, an attacker could send malicious script in chat message. When the message is accepted by the chat recipient, the script gets executed in their scope. Due to the usage of ActiveX in the… | |||
| CVE-2021-38175 | 0.00 | — | 0.01 | Sep 14, 2021 | SAP Analysis for Microsoft Office - version 2.8, allows an attacker with high privileges to read sensitive data over the network, and gather or change information in the current system without user interaction. The attack would not lead to an impact on the availability of the… | |||
| CVE-2021-37535 | 0.00 | — | 0.01 | Sep 14, 2021 | SAP NetWeaver Application Server Java (JMS Connector Service) - versions 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not perform necessary authorization checks for user privileges. | |||
| CVE-2021-33679 | 0.00 | — | 0.00 | Sep 14, 2021 | The SAP BusinessObjects BI Platform version - 420 allows an attacker, who has basic access to the application, to inject a malicious script while creating a new module document, file, or folder. When another user visits that page, the stored malicious script will execute in… | |||
| CVE-2021-38176 | 0.00 | — | 0.01 | Sep 14, 2021 | Due to improper input sanitization, an authenticated user with certain specific privileges can remotely call NZDT function modules listed in Solution Section to execute manipulated query or inject ABAP code to gain access to Backend Database. On successful exploitation the… | |||
| CVE-2021-38164 | 0.00 | — | 0.00 | Sep 14, 2021 | SAP ERP Financial Accounting (RFOPENPOSTING_FR) versions - SAP_APPL - 600, 602, 603, 604, 605, 606, 616, SAP_FIN - 617, 618, 700, 720, 730, SAPSCORE - 125, S4CORE, 100, 101, 102, 103, 104, 105, allows a registered attacker to invoke certain functions that would otherwise be… | |||
| CVE-2021-38162 | 0.00 | — | 0.03 | Sep 14, 2021 | SAP Web Dispatcher versions - 7.49, 7.53, 7.77, 7.81, KRNL64NUC - 7.22, 7.22EXT, 7.49, KRNL64UC -7.22, 7.22EXT, 7.49, 7.53, KERNEL - 7.22, 7.49, 7.53, 7.77, 7.81, 7.83 processes allow an unauthenticated attacker to submit a malicious crafted request over a network to a front-end… | |||
| CVE-2021-37532 | 0.00 | — | 0.01 | Sep 14, 2021 | SAP Business One version - 10, due to improper input validation, allows an authenticated User to gain access to directory and view the contents of index in the directory, which would otherwise be restricted to high privileged User. | |||
| CVE-2021-21489 | 0.00 | — | 0.01 | Sep 14, 2021 | SAP NetWeaver Enterprise Portal versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user related data, resulting in Stored Cross-Site Scripting (XSS) vulnerability. This would allow an attacker with administrative privileges to store a malicious… |
- CVE-2021-44234Jan 14, 2022risk 0.00cvss —epss 0.00
SAP Business One - version 10.0, extended log stores information that can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.
- CVE-2022-22530Jan 14, 2022risk 0.00cvss —epss 0.01
The F0743 Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, does not check uploaded or downloaded files. This allows an attacker with basic user rights to inject dangerous content or malicious code which could result in critical…
- CVE-2021-42061Dec 14, 2021risk 0.00cvss —epss 0.00
SAP BusinessObjects Business Intelligence Platform (Web Intelligence) - version 420, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. This allows a low privileged attacker to retrieve some data from the victim but will…
- CVE-2021-42068Dec 14, 2021risk 0.00cvss —epss 0.01
When a user opens a manipulated GIF (.gif) file received from untrusted sources in SAP 3D Visual Enterprise Viewer - version 9.0, the application crashes and becomes temporarily unavailable to the user until restart of the application.
- CVE-2021-42070Dec 14, 2021risk 0.00cvss —epss 0.01
When a user opens manipulated Jupiter Tessellation (.jt) file received from untrusted sources in SAP 3D Visual Enterprise Viewer - version 9.0, the application crashes and becomes temporarily unavailable to the user until restart of the application
- CVE-2021-42069Dec 14, 2021risk 0.00cvss —epss 0.01
When a user opens manipulated Tagged Image File Format (.tif) file received from untrusted sources in SAP 3D Visual Enterprise Viewer - version 9.0, the application crashes and becomes temporarily unavailable to the user until restart of the application
- CVE-2021-42066Dec 14, 2021risk 0.00cvss —epss 0.00
SAP Business One - version 10.0, allows an admin user to view DB password in plain text over the network, which should otherwise be encrypted. For an attacker to discover vulnerable function in-depth application knowledge is required, but once exploited the attacker may be able…
- CVE-2021-44232Dec 14, 2021risk 0.00cvss —epss 0.01
SAF-T Framework Transaction SAFTN_G allows an attacker to exploit insufficient validation of path information provided by normal user, leading to full server directory access. The attacker can see the whole filesystem structure but cannot overwrite, delete, or corrupt arbitrary…
- CVE-2021-44235Dec 14, 2021risk 0.00cvss —epss 0.00
Two methods of a utility class in SAP NetWeaver AS ABAP - versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, allow an attacker with high privileges and has direct access to SAP System, to inject code when executing with a certain transaction…
- CVE-2021-42062Nov 10, 2021risk 0.00cvss —epss 0.01
SAP ERP HCM Portugal does not perform necessary authorization checks for a report that reads the payroll data of employees in a certain area. Since the affected report only reads the payroll information, the attacker can neither modify any information nor cause availability…
- CVE-2021-40504Nov 10, 2021risk 0.00cvss —epss 0.01
A certain template role in SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, contains transport authorizations, which exceed expected display only permissions.
- CVE-2021-40503Nov 10, 2021risk 0.00cvss —epss 0.00
An information disclosure vulnerability exists in SAP GUI for Windows - versions < 7.60 PL13, 7.70 PL4, which allows an attacker with sufficient privileges on the local client-side PC to obtain an equivalent of the user’s password. With this highly sensitive data leaked, the…
- CVE-2021-40501Nov 10, 2021risk 0.00cvss —epss 0.01
SAP ABAP Platform Kernel - versions 7.77, 7.81, 7.85, 7.86, does not perform necessary authorization checks for an authenticated business user, resulting in escalation of privileges. That means this business user is able to read and modify data beyond the vulnerable system.…
- CVE-2021-40500Oct 12, 2021risk 0.00cvss —epss 0.01
SAP BusinessObjects Business Intelligence Platform (Crystal Reports) - versions 420, 430, allows an unauthenticated attacker to exploit missing XML validations at endpoints to read sensitive data. These endpoints are normally exposed over the network and successful exploitation…
- CVE-2021-40498Oct 12, 2021risk 0.00cvss —epss 0.00
A vulnerability has been identified in SAP SuccessFactors Mobile Application for Android - versions older than 2108, which allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service, which can lead to denial of service.…
- CVE-2021-38183Oct 12, 2021risk 0.00cvss —epss 0.01
SAP NetWeaver - versions 700, 701, 702, 730, does not sufficiently encode user-controlled inputs, allowing an attacker to cause a potential victim to supply a malicious content to a vulnerable web application, which is then reflected to the victim and executed by the web…
- CVE-2021-40499Oct 12, 2021risk 0.00cvss —epss 0.01
Client-side printing services SAP Cloud Print Manager and SAPSprint for SAP NetWeaver Application Server for ABAP - versions 7.70, 7.70 PI, 7.70 BYD, allow an attacker to inject code that can be executed by the application. An attacker could thereby control the behavior of the…
- CVE-2021-40496Oct 12, 2021risk 0.00cvss —epss 0.01
SAP Internet Communication framework (ICM) - versions 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 785, allows an attacker with logon functionality, to exploit the authentication function by using POST and form field to repeat executions of the initial…
- CVE-2021-38180Oct 12, 2021risk 0.00cvss —epss 0.02
SAP Business One - version 10.0, allows an attacker to inject formulas when exporting data to Excel (CSV injection) due to improper sanitation during the data export. An attacker could thereby execute arbitrary commands on the victim's computer but only if the victim allows to…
- CVE-2021-38178Oct 12, 2021risk 0.00cvss —epss 0.01
The software logistics system of SAP NetWeaver AS ABAP and ABAP Platform versions - 700, 701, 702, 710, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, enables a malicious user to transfer ABAP code artifacts or content, by-passing the established quality gates. By this…
- CVE-2021-40497Oct 12, 2021risk 0.00cvss —epss 0.01
SAP BusinessObjects Analysis (edition for OLAP) - versions 420, 430, allows an attacker to exploit certain application endpoints to read sensitive data. These endpoints are normally exposed over the network and successful exploitation could lead to exposure of some system…
- CVE-2021-40495Oct 12, 2021risk 0.00cvss —epss 0.01
There are multiple Denial-of Service vulnerabilities in SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 740, 750, 751, 752, 753, 754, 755. An unauthorized attacker can use the public SICF service /sap/public/bc/abap to reduce the performance of SAP…
- CVE-2021-38181Oct 12, 2021risk 0.00cvss —epss 0.01
SAP NetWeaver AS ABAP and ABAP Platform - versions 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service.
- CVE-2021-38179Oct 12, 2021risk 0.00cvss —epss 0.01
Debug function of Admin UI of SAP Business One Integration is enabled by default. This allows Admin User to see the captured packet contents which may include User credentials.
- CVE-2021-33704Sep 15, 2021risk 0.00cvss —epss 0.01
The Service Layer of SAP Business One, version - 10.0, allows an authenticated attacker to invoke certain functions that would otherwise be restricted to specific users. For an attacker to discover the vulnerable function, no in-depth system knowledge is required. Once exploited…
- CVE-2021-33701Sep 15, 2021risk 0.00cvss —epss 0.02
DMIS Mobile Plug-In or SAP S/4HANA, versions - DMIS 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 710, 2011_1_731, 710, 2011_1_752, 2020, SAPSCORE 125, S4CORE 102, 102, 103, 104, 105, allows an attacker with access to highly privileged account to execute…
- CVE-2021-33698Sep 15, 2021risk 0.00cvss —epss 0.01
SAP Business One, version - 10.0, allows an attacker with business authorization to upload any files (including script files) without the proper file format validation.
- CVE-2021-33705Sep 15, 2021risk 0.00cvss —epss 0.02
The SAP NetWeaver Portal, versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, component Iviews Editor contains a Server-Side Request Forgery (SSRF) vulnerability which allows an unauthenticated attacker to craft a malicious URL which when clicked by a user can make any type of…
- CVE-2021-33700Sep 15, 2021risk 0.00cvss —epss 0.00
SAP Business One, version - 10.0, allows a local attacker with access to the victim's browser under certain circumstances, to login as the victim without knowing his/her password. The attacker could so obtain highly sensitive information which the attacker could use to take…
- CVE-2021-33694Sep 15, 2021risk 0.00cvss —epss 0.00
SAP Cloud Connector, version - 2.0, does not sufficiently encode user-controlled inputs, allowing an attacker with Administrator rights, to include malicious codes that get stored in the database, and when accessed, could be executed in the application, resulting in Stored…
- CVE-2021-33691Sep 15, 2021risk 0.00cvss —epss 0.01
NWDI Notification Service versions - 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.SAP NetWeaver Development Infrastructure Notification Service allows a threat actor to send crafted scripts to a…
- CVE-2021-33693Sep 15, 2021risk 0.00cvss —epss 0.01
SAP Cloud Connector, version - 2.0, allows an authenticated administrator to modify a configuration file to inject malicious codes that could potentially lead to OS command execution.
- CVE-2021-33697Sep 15, 2021risk 0.00cvss —epss 0.01
Under certain conditions, SAP BusinessObjects Business Intelligence Platform (SAPUI5), versions - 420, 430, can allow an unauthenticated attacker to redirect users to a malicious site due to Reverse Tabnabbing vulnerabilities.
- CVE-2021-33695Sep 15, 2021risk 0.00cvss —epss 0.01
Potentially, SAP Cloud Connector, version - 2.0 communication with the backend is accepted without sufficient validation of the certificate.
- CVE-2021-33692Sep 15, 2021risk 0.00cvss —epss 0.01
SAP Cloud Connector, version - 2.0, allows the upload of zip files as backup. This backup file can be tricked to inject special elements such as '..' and '/' separators, for attackers to escape outside of the restricted location to access files or directories.
- CVE-2021-33696Sep 15, 2021risk 0.00cvss —epss 0.00
SAP BusinessObjects Business Intelligence Platform (Crystal Report), versions - 420, 430, does not sufficiently encode user controlled inputs and therefore an authorized attacker can exploit a XSS vulnerability, leading to non-permanently deface or modify displayed content from…
- CVE-2021-38174Sep 14, 2021risk 0.00cvss —epss 0.01
When a user opens manipulated files received from untrusted sources in SAP 3D Visual Enterprise Viewer version - 9, the application crashes and becomes temporarily unavailable to the user until restart of the application.
- CVE-2021-33688Sep 14, 2021risk 0.00cvss —epss 0.01
SAP Business One allows an attacker with business privileges to execute crafted database queries, exposing the back-end database. Due to framework restrictions, only some information can be obtained.
- CVE-2021-33686Sep 14, 2021risk 0.00cvss —epss 0.01
Under certain conditions, SAP Business One version - 10.0, allows an unauthorized attacker to get access to some encrypted sensitive information, but does not have control over kind or degree.
- CVE-2021-38177Sep 14, 2021risk 0.00cvss —epss 0.03
SAP CommonCryptoLib version 8.5.38 or lower is vulnerable to null pointer dereference vulnerability when an unauthenticated attacker sends crafted malicious data in the HTTP requests over the network, this causes the SAP application to crash and has high impact on the…
- CVE-2021-33685Sep 14, 2021risk 0.00cvss —epss 0.01
SAP Business One version - 10.0 allows low-level authorized attacker to traverse the file system to access files or directories that are outside of the restricted directory. A successful attack allows access to high level sensitive data
- CVE-2021-33672Sep 14, 2021risk 0.00cvss —epss 0.01
Due to missing encoding in SAP Contact Center's Communication Desktop component- version 700, an attacker could send malicious script in chat message. When the message is accepted by the chat recipient, the script gets executed in their scope. Due to the usage of ActiveX in the…
- CVE-2021-38175Sep 14, 2021risk 0.00cvss —epss 0.01
SAP Analysis for Microsoft Office - version 2.8, allows an attacker with high privileges to read sensitive data over the network, and gather or change information in the current system without user interaction. The attack would not lead to an impact on the availability of the…
- CVE-2021-37535Sep 14, 2021risk 0.00cvss —epss 0.01
SAP NetWeaver Application Server Java (JMS Connector Service) - versions 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not perform necessary authorization checks for user privileges.
- CVE-2021-33679Sep 14, 2021risk 0.00cvss —epss 0.00
The SAP BusinessObjects BI Platform version - 420 allows an attacker, who has basic access to the application, to inject a malicious script while creating a new module document, file, or folder. When another user visits that page, the stored malicious script will execute in…
- CVE-2021-38176Sep 14, 2021risk 0.00cvss —epss 0.01
Due to improper input sanitization, an authenticated user with certain specific privileges can remotely call NZDT function modules listed in Solution Section to execute manipulated query or inject ABAP code to gain access to Backend Database. On successful exploitation the…
- CVE-2021-38164Sep 14, 2021risk 0.00cvss —epss 0.00
SAP ERP Financial Accounting (RFOPENPOSTING_FR) versions - SAP_APPL - 600, 602, 603, 604, 605, 606, 616, SAP_FIN - 617, 618, 700, 720, 730, SAPSCORE - 125, S4CORE, 100, 101, 102, 103, 104, 105, allows a registered attacker to invoke certain functions that would otherwise be…
- CVE-2021-38162Sep 14, 2021risk 0.00cvss —epss 0.03
SAP Web Dispatcher versions - 7.49, 7.53, 7.77, 7.81, KRNL64NUC - 7.22, 7.22EXT, 7.49, KRNL64UC -7.22, 7.22EXT, 7.49, 7.53, KERNEL - 7.22, 7.49, 7.53, 7.77, 7.81, 7.83 processes allow an unauthenticated attacker to submit a malicious crafted request over a network to a front-end…
- CVE-2021-37532Sep 14, 2021risk 0.00cvss —epss 0.01
SAP Business One version - 10, due to improper input validation, allows an authenticated User to gain access to directory and view the contents of index in the directory, which would otherwise be restricted to high privileged User.
- CVE-2021-21489Sep 14, 2021risk 0.00cvss —epss 0.01
SAP NetWeaver Enterprise Portal versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user related data, resulting in Stored Cross-Site Scripting (XSS) vulnerability. This would allow an attacker with administrative privileges to store a malicious…
Page 22 of 37