Vendor CVEs
SAP
All CVEs
1,818 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-27585 | 0.00 | — | 0.01 | Mar 9, 2021 | When a user opens manipulated Computer Graphics Metafile (.CGM) format files received from untrusted sources in SAP 3D Visual Enterprise Viewer version 9, the application crashes and becomes temporarily unavailable to the user until restart of the application. | |||
| CVE-2021-21484 | 0.00 | — | 0.01 | Mar 9, 2021 | LDAP authentication in SAP HANA Database version 2.0 can be bypassed if the attached LDAP directory server is configured to enable unauthenticated bind. | |||
| CVE-2021-21487 | 0.00 | — | 0.01 | Mar 9, 2021 | SAP Payment Engine version 500, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. | |||
| CVE-2021-21493 | 0.00 | — | 0.01 | Mar 9, 2021 | When a user opens manipulated Graphics Interchange Format (.GIF) format files received from untrusted sources in SAP 3D Visual Enterprise Viewer version 9, the application crashes and becomes temporarily unavailable to the user until restart of the application. | |||
| CVE-2021-21486 | 0.00 | — | 0.01 | Mar 9, 2021 | SAP Enterprise Financial Services versions, 101, 102, 103, 104, 105, 600, 603, 604, 605, 606, 616, 617, 618, 800, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. | |||
| CVE-2021-21481 | 0.00 | — | 0.01 | Mar 9, 2021 | The MigrationService, which is part of SAP NetWeaver versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not perform an authorization check. This might allow an unauthorized attacker to access configuration objects, including such that grant administrative privileges. This… | |||
| CVE-2021-21316 | 0.00 | — | 0.01 | Feb 16, 2021 | less-openui5 is an npm package which enables building OpenUI5 themes with Less.js. In less-openui5 before version 0.10., when processing theming resources (i.e. `*.less` files) with less-openui5 that originate from an untrusted source, those resources might contain JavaScript… | |||
| CVE-2021-21478 | 0.00 | — | 0.01 | Feb 9, 2021 | SAP Web Dynpro ABAP allow an attacker to redirect users to a malicious site due to Reverse Tabnabbing vulnerabilities. | |||
| CVE-2021-21476 | 0.00 | — | 0.01 | Feb 9, 2021 | SAP UI5 versions before 1.38.49, 1.52.49, 1.60.34, 1.71.31, 1.78.18, 1.84.5, 1.85.4, 1.86.1 allows an unauthenticated attacker to redirect users to a malicious site due to Reverse Tabnabbing vulnerabilities. | |||
| CVE-2021-21444 | 0.00 | — | 0.01 | Feb 9, 2021 | SAP Business Objects BI Platform, versions - 410, 420, 430, allows multiple X-Frame-Options headers entries in the response headers, which may not be predictably treated by all user agents. This could, as a result, nullify the added X-Frame-Options header leading to Clickjacking… | |||
| CVE-2021-21474 | 0.00 | — | 0.01 | Feb 9, 2021 | SAP HANA Database, versions - 1.0, 2.0, accepts SAML tokens with MD5 digest, an attacker who manages to obtain an MD5-digest signed SAML Assertion issued for an SAP HANA instance might be able to tamper with it and alter it in a way that the digest continues to be the same and… | |||
| CVE-2021-21477 | 0.00 | — | 0.30 | Feb 9, 2021 | SAP Commerce Cloud, versions - 1808,1811,1905,2005,2011, enables certain users with required privileges to edit drools rules, an authenticated attacker with this privilege will be able to inject malicious code in the drools rules which when executed leads to Remote Code… | |||
| CVE-2021-21475 | 0.00 | — | 0.02 | Feb 9, 2021 | Under specific circumstances SAP Master Data Management, versions - 710, 710.750, allows an unauthorized attacker to exploit insufficient validation of path information provided by users, thus characters representing 'traverse to parent directory' are passed through to the file… | |||
| CVE-2021-21472 | 0.00 | — | 0.01 | Feb 9, 2021 | SAP Software Provisioning Manager 1.0 (SAP NetWeaver Master Data Management Server 7.1) does not have an option to set password during its installation, this allows an authenticated attacker to perform various security attacks like Directory Traversal, Password Brute force… | |||
| CVE-2021-21469 | 0.00 | — | 0.01 | Jan 12, 2021 | When security guidelines for SAP NetWeaver Master Data Management running on windows have not been thoroughly reviewed, it might be possible for an external operator to try and set custom paths in the MDS server configuration. When no adequate protection has been enforced on any… | |||
| CVE-2021-21466 | 0.00 | — | 0.03 | Jan 12, 2021 | SAP Business Warehouse, versions 700, 701, 702, 711, 730, 731, 740, 750, 782 and SAP BW/4HANA, versions 100, 200, allow a low privileged attacker to inject code using a remote enabled function module over the network. Via the function module an attacker can create a malicious… | |||
| CVE-2021-21445 | 0.00 | — | 0.01 | Jan 12, 2021 | SAP Commerce Cloud, versions - 1808, 1811, 1905, 2005, 2011, allows an authenticated attacker to include invalidated data in the HTTP response Content Type header, due to improper input validation, and sent to a Web user. A successful exploitation of this vulnerability may lead… | |||
| CVE-2021-21463 | 0.00 | — | 0.01 | Jan 12, 2021 | SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated PCX file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper… | |||
| CVE-2021-21467 | 0.00 | — | 0.01 | Jan 12, 2021 | SAP Banking Services (Generic Market Data) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. An unauthorized User is allowed to display restricted Business Partner Generic Market Data (GMD), due to improper… | |||
| CVE-2021-21470 | 0.00 | — | 0.00 | Jan 12, 2021 | SAP EPM Add-in for Microsoft Office, version - 1010 and SAP EPM Add-in for SAP Analysis Office, version - 2.8, allows an authenticated attacker with user privileges to parse malicious XML files which could result in XXE-based attacks in applications that accept… | |||
| CVE-2021-21465 | 0.00 | — | 0.04 | Jan 12, 2021 | The BW Database Interface allows an attacker with low privileges to execute any crafted database queries, exposing the backend database. An attacker can include their own SQL commands which the database will execute without properly sanitizing the untrusted data leading to SQL… | |||
| CVE-2021-21468 | 0.00 | — | 0.02 | Jan 12, 2021 | The BW Database Interface does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges that allows the user to practically read out any database table. | |||
| CVE-2021-21462 | 0.00 | — | 0.01 | Jan 12, 2021 | SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated PCX file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper… | |||
| CVE-2021-21447 | 0.00 | — | 0.01 | Jan 12, 2021 | SAP BusinessObjects Business Intelligence platform, versions 410, 420, allows an authenticated attacker to inject malicious JavaScript payload into the custom value input field of an Input Control, which can be executed by User who views the relevant application content, which… | |||
| CVE-2021-21457 | 0.00 | — | 0.01 | Jan 12, 2021 | SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated IFF file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper… | |||
| CVE-2021-21456 | 0.00 | — | 0.01 | Jan 12, 2021 | SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated DIB file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper… | |||
| CVE-2021-21448 | 0.00 | — | 0.00 | Jan 12, 2021 | SAP GUI for Windows, version - 7.60, allows an attacker to spoof logon credentials for Application Server ABAP backend systems in the client PCs memory. Under certain conditions the attacker can access information which would otherwise be restricted. The exploit can only be… | |||
| CVE-2021-21461 | 0.00 | — | 0.01 | Jan 12, 2021 | SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated BMP file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper… | |||
| CVE-2021-21446 | 0.00 | — | 0.01 | Jan 12, 2021 | SAP NetWeaver AS ABAP, versions 740, 750, 751, 752, 753, 754, 755, allows an unauthenticated attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service, this has a high impact on the availability of the service. | |||
| CVE-2021-21449 | 0.00 | — | 0.01 | Jan 12, 2021 | SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated IFF file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper… | |||
| CVE-2021-21458 | 0.00 | — | 0.01 | Jan 12, 2021 | SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated IFF file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper… | |||
| CVE-2021-21450 | 0.00 | — | 0.01 | Jan 12, 2021 | SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated PSD file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper… | |||
| CVE-2021-21453 | 0.00 | — | 0.01 | Jan 12, 2021 | SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated RLE file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper… | |||
| CVE-2021-21454 | 0.00 | — | 0.01 | Jan 12, 2021 | SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated RLE file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper… | |||
| CVE-2021-21464 | 0.00 | — | 0.01 | Jan 12, 2021 | SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated PCX file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper… | |||
| CVE-2021-21451 | 0.00 | — | 0.01 | Jan 12, 2021 | SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated SGI file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper… | |||
| CVE-2021-21455 | 0.00 | — | 0.01 | Jan 12, 2021 | SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated DIB file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper… | |||
| CVE-2021-21452 | 0.00 | — | 0.01 | Jan 12, 2021 | SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated GIF file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper… | |||
| CVE-2021-21460 | 0.00 | — | 0.01 | Jan 12, 2021 | SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated DIB file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper… | |||
| CVE-2021-21459 | 0.00 | — | 0.01 | Jan 12, 2021 | SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated IFF file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper… | |||
| CVE-2020-26171 | 0.00 | — | 0.01 | Dec 18, 2020 | In tangro Business Workflow before 1.18.1, the documentId of attachment uploads to /api/document/attachments/upload can be manipulated. By doing this, users can add attachments to workitems that do not belong to them. | |||
| CVE-2020-26172 | 0.00 | — | 0.01 | Dec 18, 2020 | Every login in tangro Business Workflow before 1.18.1 generates the same JWT token, which allows an attacker to reuse the token when a session is active. The JWT token does not contain an expiration timestamp. | |||
| CVE-2020-26173 | 0.00 | — | 0.01 | Dec 18, 2020 | An incorrect access control implementation in Tangro Business Workflow before 1.18.1 allows an attacker to download documents (PDF) by providing a valid document ID and token. No further authentication is required. | |||
| CVE-2020-26174 | 0.00 | — | 0.01 | Dec 18, 2020 | tangro Business Workflow before 1.18.1 requests a list of allowed filetypes from the server and restricts uploads to the filetypes contained in this list. However, this restriction is enforced in the browser (client-side) and can be circumvented. This allows an attacker to… | |||
| CVE-2020-26175 | 0.00 | — | 0.01 | Dec 18, 2020 | In tangro Business Workflow before 1.18.1, an attacker can manipulate the value of PERSON in requests to /api/profile in order to change profile information of other users. | |||
| CVE-2020-26176 | 0.00 | — | 0.01 | Dec 18, 2020 | An issue was discovered in tangro Business Workflow before 1.18.1. No (or broken) access control checks exist on the /api/document//attachments API endpoint. Knowing a document ID, an attacker can list all the attachments of a workitem, including their respective… | |||
| CVE-2020-26177 | 0.00 | — | 0.01 | Dec 18, 2020 | In tangro Business Workflow before 1.18.1, a user's profile contains some items that are greyed out and thus are not intended to be edited by regular users. However, this restriction is only applied client-side. Manipulating any of the greyed-out values in requests to… | |||
| CVE-2020-26178 | 0.00 | — | 0.01 | Dec 18, 2020 | In tangro Business Workflow before 1.18.1, knowing an attachment ID, it is possible to download workitem attachments without being authenticated. | |||
| CVE-2020-26837 | 0.00 | — | 0.02 | Dec 9, 2020 | SAP Solution Manager 7.2 (User Experience Monitoring), version - 7.2, allows an authenticated user to upload a malicious script that can exploit an existing path traversal vulnerability to compromise confidentiality exposing elements of the file system, partially compromise… | |||
| CVE-2020-26838 | 0.00 | — | 0.02 | Dec 9, 2020 | SAP Business Warehouse, versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 782, and SAP BW4HANA, versions - 100, 200 allows an attacker authenticated with (high) developer privileges to submit a crafted request to generate and execute code without requiring any… |
- CVE-2021-27585Mar 9, 2021risk 0.00cvss —epss 0.01
When a user opens manipulated Computer Graphics Metafile (.CGM) format files received from untrusted sources in SAP 3D Visual Enterprise Viewer version 9, the application crashes and becomes temporarily unavailable to the user until restart of the application.
- CVE-2021-21484Mar 9, 2021risk 0.00cvss —epss 0.01
LDAP authentication in SAP HANA Database version 2.0 can be bypassed if the attached LDAP directory server is configured to enable unauthenticated bind.
- CVE-2021-21487Mar 9, 2021risk 0.00cvss —epss 0.01
SAP Payment Engine version 500, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.
- CVE-2021-21493Mar 9, 2021risk 0.00cvss —epss 0.01
When a user opens manipulated Graphics Interchange Format (.GIF) format files received from untrusted sources in SAP 3D Visual Enterprise Viewer version 9, the application crashes and becomes temporarily unavailable to the user until restart of the application.
- CVE-2021-21486Mar 9, 2021risk 0.00cvss —epss 0.01
SAP Enterprise Financial Services versions, 101, 102, 103, 104, 105, 600, 603, 604, 605, 606, 616, 617, 618, 800, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.
- CVE-2021-21481Mar 9, 2021risk 0.00cvss —epss 0.01
The MigrationService, which is part of SAP NetWeaver versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not perform an authorization check. This might allow an unauthorized attacker to access configuration objects, including such that grant administrative privileges. This…
- CVE-2021-21316Feb 16, 2021risk 0.00cvss —epss 0.01
less-openui5 is an npm package which enables building OpenUI5 themes with Less.js. In less-openui5 before version 0.10., when processing theming resources (i.e. `*.less` files) with less-openui5 that originate from an untrusted source, those resources might contain JavaScript…
- CVE-2021-21478Feb 9, 2021risk 0.00cvss —epss 0.01
SAP Web Dynpro ABAP allow an attacker to redirect users to a malicious site due to Reverse Tabnabbing vulnerabilities.
- CVE-2021-21476Feb 9, 2021risk 0.00cvss —epss 0.01
SAP UI5 versions before 1.38.49, 1.52.49, 1.60.34, 1.71.31, 1.78.18, 1.84.5, 1.85.4, 1.86.1 allows an unauthenticated attacker to redirect users to a malicious site due to Reverse Tabnabbing vulnerabilities.
- CVE-2021-21444Feb 9, 2021risk 0.00cvss —epss 0.01
SAP Business Objects BI Platform, versions - 410, 420, 430, allows multiple X-Frame-Options headers entries in the response headers, which may not be predictably treated by all user agents. This could, as a result, nullify the added X-Frame-Options header leading to Clickjacking…
- CVE-2021-21474Feb 9, 2021risk 0.00cvss —epss 0.01
SAP HANA Database, versions - 1.0, 2.0, accepts SAML tokens with MD5 digest, an attacker who manages to obtain an MD5-digest signed SAML Assertion issued for an SAP HANA instance might be able to tamper with it and alter it in a way that the digest continues to be the same and…
- CVE-2021-21477Feb 9, 2021risk 0.00cvss —epss 0.30
SAP Commerce Cloud, versions - 1808,1811,1905,2005,2011, enables certain users with required privileges to edit drools rules, an authenticated attacker with this privilege will be able to inject malicious code in the drools rules which when executed leads to Remote Code…
- CVE-2021-21475Feb 9, 2021risk 0.00cvss —epss 0.02
Under specific circumstances SAP Master Data Management, versions - 710, 710.750, allows an unauthorized attacker to exploit insufficient validation of path information provided by users, thus characters representing 'traverse to parent directory' are passed through to the file…
- CVE-2021-21472Feb 9, 2021risk 0.00cvss —epss 0.01
SAP Software Provisioning Manager 1.0 (SAP NetWeaver Master Data Management Server 7.1) does not have an option to set password during its installation, this allows an authenticated attacker to perform various security attacks like Directory Traversal, Password Brute force…
- CVE-2021-21469Jan 12, 2021risk 0.00cvss —epss 0.01
When security guidelines for SAP NetWeaver Master Data Management running on windows have not been thoroughly reviewed, it might be possible for an external operator to try and set custom paths in the MDS server configuration. When no adequate protection has been enforced on any…
- CVE-2021-21466Jan 12, 2021risk 0.00cvss —epss 0.03
SAP Business Warehouse, versions 700, 701, 702, 711, 730, 731, 740, 750, 782 and SAP BW/4HANA, versions 100, 200, allow a low privileged attacker to inject code using a remote enabled function module over the network. Via the function module an attacker can create a malicious…
- CVE-2021-21445Jan 12, 2021risk 0.00cvss —epss 0.01
SAP Commerce Cloud, versions - 1808, 1811, 1905, 2005, 2011, allows an authenticated attacker to include invalidated data in the HTTP response Content Type header, due to improper input validation, and sent to a Web user. A successful exploitation of this vulnerability may lead…
- CVE-2021-21463Jan 12, 2021risk 0.00cvss —epss 0.01
SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated PCX file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper…
- CVE-2021-21467Jan 12, 2021risk 0.00cvss —epss 0.01
SAP Banking Services (Generic Market Data) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. An unauthorized User is allowed to display restricted Business Partner Generic Market Data (GMD), due to improper…
- CVE-2021-21470Jan 12, 2021risk 0.00cvss —epss 0.00
SAP EPM Add-in for Microsoft Office, version - 1010 and SAP EPM Add-in for SAP Analysis Office, version - 2.8, allows an authenticated attacker with user privileges to parse malicious XML files which could result in XXE-based attacks in applications that accept…
- CVE-2021-21465Jan 12, 2021risk 0.00cvss —epss 0.04
The BW Database Interface allows an attacker with low privileges to execute any crafted database queries, exposing the backend database. An attacker can include their own SQL commands which the database will execute without properly sanitizing the untrusted data leading to SQL…
- CVE-2021-21468Jan 12, 2021risk 0.00cvss —epss 0.02
The BW Database Interface does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges that allows the user to practically read out any database table.
- CVE-2021-21462Jan 12, 2021risk 0.00cvss —epss 0.01
SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated PCX file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper…
- CVE-2021-21447Jan 12, 2021risk 0.00cvss —epss 0.01
SAP BusinessObjects Business Intelligence platform, versions 410, 420, allows an authenticated attacker to inject malicious JavaScript payload into the custom value input field of an Input Control, which can be executed by User who views the relevant application content, which…
- CVE-2021-21457Jan 12, 2021risk 0.00cvss —epss 0.01
SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated IFF file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper…
- CVE-2021-21456Jan 12, 2021risk 0.00cvss —epss 0.01
SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated DIB file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper…
- CVE-2021-21448Jan 12, 2021risk 0.00cvss —epss 0.00
SAP GUI for Windows, version - 7.60, allows an attacker to spoof logon credentials for Application Server ABAP backend systems in the client PCs memory. Under certain conditions the attacker can access information which would otherwise be restricted. The exploit can only be…
- CVE-2021-21461Jan 12, 2021risk 0.00cvss —epss 0.01
SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated BMP file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper…
- CVE-2021-21446Jan 12, 2021risk 0.00cvss —epss 0.01
SAP NetWeaver AS ABAP, versions 740, 750, 751, 752, 753, 754, 755, allows an unauthenticated attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service, this has a high impact on the availability of the service.
- CVE-2021-21449Jan 12, 2021risk 0.00cvss —epss 0.01
SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated IFF file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper…
- CVE-2021-21458Jan 12, 2021risk 0.00cvss —epss 0.01
SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated IFF file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper…
- CVE-2021-21450Jan 12, 2021risk 0.00cvss —epss 0.01
SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated PSD file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper…
- CVE-2021-21453Jan 12, 2021risk 0.00cvss —epss 0.01
SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated RLE file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper…
- CVE-2021-21454Jan 12, 2021risk 0.00cvss —epss 0.01
SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated RLE file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper…
- CVE-2021-21464Jan 12, 2021risk 0.00cvss —epss 0.01
SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated PCX file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper…
- CVE-2021-21451Jan 12, 2021risk 0.00cvss —epss 0.01
SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated SGI file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper…
- CVE-2021-21455Jan 12, 2021risk 0.00cvss —epss 0.01
SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated DIB file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper…
- CVE-2021-21452Jan 12, 2021risk 0.00cvss —epss 0.01
SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated GIF file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper…
- CVE-2021-21460Jan 12, 2021risk 0.00cvss —epss 0.01
SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated DIB file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper…
- CVE-2021-21459Jan 12, 2021risk 0.00cvss —epss 0.01
SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated IFF file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper…
- CVE-2020-26171Dec 18, 2020risk 0.00cvss —epss 0.01
In tangro Business Workflow before 1.18.1, the documentId of attachment uploads to /api/document/attachments/upload can be manipulated. By doing this, users can add attachments to workitems that do not belong to them.
- CVE-2020-26172Dec 18, 2020risk 0.00cvss —epss 0.01
Every login in tangro Business Workflow before 1.18.1 generates the same JWT token, which allows an attacker to reuse the token when a session is active. The JWT token does not contain an expiration timestamp.
- CVE-2020-26173Dec 18, 2020risk 0.00cvss —epss 0.01
An incorrect access control implementation in Tangro Business Workflow before 1.18.1 allows an attacker to download documents (PDF) by providing a valid document ID and token. No further authentication is required.
- CVE-2020-26174Dec 18, 2020risk 0.00cvss —epss 0.01
tangro Business Workflow before 1.18.1 requests a list of allowed filetypes from the server and restricts uploads to the filetypes contained in this list. However, this restriction is enforced in the browser (client-side) and can be circumvented. This allows an attacker to…
- CVE-2020-26175Dec 18, 2020risk 0.00cvss —epss 0.01
In tangro Business Workflow before 1.18.1, an attacker can manipulate the value of PERSON in requests to /api/profile in order to change profile information of other users.
- CVE-2020-26176Dec 18, 2020risk 0.00cvss —epss 0.01
An issue was discovered in tangro Business Workflow before 1.18.1. No (or broken) access control checks exist on the /api/document//attachments API endpoint. Knowing a document ID, an attacker can list all the attachments of a workitem, including their respective…
- CVE-2020-26177Dec 18, 2020risk 0.00cvss —epss 0.01
In tangro Business Workflow before 1.18.1, a user's profile contains some items that are greyed out and thus are not intended to be edited by regular users. However, this restriction is only applied client-side. Manipulating any of the greyed-out values in requests to…
- CVE-2020-26178Dec 18, 2020risk 0.00cvss —epss 0.01
In tangro Business Workflow before 1.18.1, knowing an attachment ID, it is possible to download workitem attachments without being authenticated.
- CVE-2020-26837Dec 9, 2020risk 0.00cvss —epss 0.02
SAP Solution Manager 7.2 (User Experience Monitoring), version - 7.2, allows an authenticated user to upload a malicious script that can exploit an existing path traversal vulnerability to compromise confidentiality exposing elements of the file system, partially compromise…
- CVE-2020-26838Dec 9, 2020risk 0.00cvss —epss 0.02
SAP Business Warehouse, versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 782, and SAP BW4HANA, versions - 100, 200 allows an attacker authenticated with (high) developer privileges to submit a crafted request to generate and execute code without requiring any…
Page 25 of 37