VYPR

Vendor CVEs

SAP

All CVEs

1,818 total · sorted by risk
  • CVE-2020-6216Apr 14, 2020
    risk 0.00cvss epss 0.01

    SAP Business Objects Business Intelligence Platform (BI Launchpad), version 4.2, does not sufficiently encode user-controlled inputs, resulting in reflected Cross-Site Scripting (XSS) vulnerability.

  • CVE-2020-6221Apr 14, 2020
    risk 0.00cvss epss 0.01

    Web Intelligence HTML interface in SAP Business Objects Business Intelligence Platform, versions 4.1, 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

  • CVE-2020-6223Apr 14, 2020
    risk 0.00cvss epss 0.01

    The open document of SAP Business Objects Business Intelligence Platform, versions 4.1, 4.2, allows an attacker to modify certain error pages to include malicious content. This can misdirect a user who is tricked into accessing these error pages rendered by the application,…

  • CVE-2020-6218Apr 14, 2020
    risk 0.00cvss epss 0.01

    Admin tools and Query Builder in SAP Business Objects Business Intelligence Platform, versions 4.1, 4.2, allows an attacker to access information that should otherwise be restricted, leading to Information Disclosure.

  • CVE-2020-6214Apr 14, 2020
    risk 0.00cvss epss 0.01

    SAP S/4HANA (Financial Products Subledger), version 100, uses an incorrect authorization object in some reports. Although the affected reports are protected with other authorization objects, exploitation of the vulnerability would allow an authenticated attacker to view, change,…

  • CVE-2020-6215Apr 14, 2020
    risk 0.00cvss epss 0.02

    SAP NetWeaver AS ABAP Business Server Pages Test Application IT00, versions 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, allows an attacker to redirect users to a malicious site due to insufficient URL validation and steal credentials of the victim, leading to URL…

  • CVE-2020-6210Mar 10, 2020
    risk 0.00cvss epss 0.01

    SAP Fiori Launchpad, versions- 753, 754, does not sufficiently encode user-controlled inputs, and hence allowing the attacker to inject the meta tag into the launchpad html using the vulnerable parameter, leading to reflected Cross-Site Scripting (XSS) vulnerability.

  • CVE-2020-6208Mar 10, 2020
    risk 0.00cvss epss 0.01

    SAP Business Objects Business Intelligence Platform (Crystal Reports), versions- 4.1, 4.2, allows an attacker with basic authorization to inject code that can be executed by the application and thus allowing the attacker to control the behaviour of the application, leading to…

  • CVE-2020-6206Mar 10, 2020
    risk 0.00cvss epss 0.00

    SAP Cloud Platform Integration for Data Services, version 1.0, allows user inputs to be reflected as error or warning massages. This could mislead the victim to follow malicious instructions inserted by external attackers, leading to Cross Site Request Forgery.

  • CVE-2020-6205Mar 10, 2020
    risk 0.00cvss epss 0.01

    SAP NetWeaver AS ABAP Business Server Pages (Smart Forms), SAP_BASIS versions- 7.00, 7.01, 7.02, 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, 7.51, 7.52, 7.53, 7.54; does not sufficiently encode user controlled inputs, allowing an unauthenticated attacker to non-permanently deface or…

  • CVE-2020-6204Mar 10, 2020
    risk 0.00cvss epss 0.01

    The selection query in SAP Treasury and Risk Management (Transaction Management) (EA-FINSERV?versions 600, 603, 604, 605, 606, 616, 617, 618, 800 and S4CORE versions 101, 102, 103, 104) returns more records than it should be when selecting and displaying the contract number,…

  • CVE-2020-6203Mar 10, 2020
    risk 0.00cvss epss 0.02

    SAP NetWeaver UDDI Server (Services Registry), versions- 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing 'traverse to parent directory' are passed through to the…

  • CVE-2020-6202Mar 10, 2020
    risk 0.00cvss epss 0.01

    SAP NetWeaver Application Server Java (User Management Engine), versions- 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; does not sufficiently validate the LDAP data source configuration XML document accepted from an untrusted source, leading to Missing XML Validation.

  • CVE-2020-6201Mar 10, 2020
    risk 0.00cvss epss 0.01

    The SAP Commerce (Testweb Extension), versions- 6.6, 6.7, 1808, 1811, 1905, does not sufficiently encode user-controlled inputs, due to which certain GET URL parameters are reflected in the HTTP responses without escaping/sanitization, leading to Reflected Cross Site Scripting.

  • CVE-2020-6200Mar 10, 2020
    risk 0.00cvss epss 0.01

    The SAP Commerce (SmartEdit Extension), versions- 6.6, 6.7, 1808, 1811, is vulnerable to client-side angularjs template injection, a variant of Cross-Site-Scripting (XSS) that exploits the templating facilities of the angular framework.

  • CVE-2020-6199Mar 10, 2020
    risk 0.00cvss epss 0.00

    The view FIMENAV_COMPCERT in SAP ERP (MENA Certificate Management), EAPPGLO version 607, SAP_FIN versions- 618, 730 and SAP S/4HANA (MENA Certificate Management), S4CORE versions- 100, 101, 102, 103, 104; does not have any authorization check to it due to which an attacker…

  • CVE-2020-6198Mar 10, 2020
    risk 0.00cvss epss 0.01

    SAP Solution Manager (Diagnostics Agent), version 720, allows unencrypted connections from unauthenticated sources. This allows an attacker to control all remote functions on the Agent due to Missing Authentication Check.

  • CVE-2020-6197Mar 10, 2020
    risk 0.00cvss epss 0.01

    SAP Enable Now, before version 1908, does not invalidate session tokens in a timely manner. The Insufficient Session Expiration may allow attackers with local access, for instance, to still download the portables.

  • CVE-2020-6196Mar 10, 2020
    risk 0.00cvss epss 0.01

    SAP BusinessObjects Mobile (MobileBIService), version 4.2, allows an attacker to generate multiple requests, using which he can block all the threads resulting in a Denial of Service.

  • CVE-2020-6178Mar 10, 2020
    risk 0.00cvss epss 0.01

    SAP Enable Now, before version 1911, sends the Session ID cookie value in URL. This might be stolen from the browser history or log files, leading to Information Disclosure.

  • CVE-2015-7968Mar 9, 2020
    risk 0.00cvss epss 0.01

    nwbc_ext2int in SAP NetWeaver Application Server before Security Note 2183189 allows XXE attacks for local file inclusion via the sap/bc/ui2/nwbc/nwbc_ext2int/ URI.

  • CVE-2020-6185Feb 12, 2020
    risk 0.00cvss epss 0.01

    Under certain conditions ABAP Online Community in SAP NetWeaver (SAP_BASIS version 7.40) and SAP S/4HANA (SAP_BASIS versions 7.50, 7.51, 7.52, 7.53, 7.54), allows an authenticated attacker to store a malicious payload which results in Stored Cross Site Scripting vulnerability.

  • CVE-2020-6181Feb 12, 2020
    risk 0.00cvss epss 0.01

    Under some circumstances the SAML SSO implementation in the SAP NetWeaver (SAP_BASIS versions 702, 730, 731, 740 and SAP ABAP Platform (SAP_BASIS versions 750, 751, 752, 753, 754), allows an attacker to include invalidated data in the HTTP response header sent to a Web user,…

  • CVE-2020-6186Feb 12, 2020
    risk 0.00cvss epss 0.01

    SAP Host Agent, version 7.21, allows an attacker to cause a slowdown in processing of username/password-based authentication requests of the SAP Host Agent, leading to Denial of Service.

  • CVE-2020-6183Feb 12, 2020
    risk 0.00cvss epss 0.01

    SAP Host Agent, version 7.21, allows an unprivileged user to read the shared memory or write to the shared memory by sending request to the main SAPOSCOL process and receive responses that may contain data read with user root privileges e.g. size of any directory, system…

  • CVE-2020-6184Feb 12, 2020
    risk 0.00cvss epss 0.01

    Under certain conditions, ABAP Online Community in SAP NetWeaver (SAP_BASIS version 7.40) and SAP S/4HANA (SAP_BASIS versions 7.50, 7.51, 7.52, 7.53, 7.54), does not sufficiently encode user-controlled inputs, resulting in Reflected Cross-Site Scripting (XSS) vulnerability.

  • CVE-2020-6191Feb 12, 2020
    risk 0.00cvss epss 0.02

    SAP Landscape Management, version 3.0, allows an attacker with admin privileges to execute malicious executables with root privileges in SAP Host Agent via SAP Landscape Management due to Missing Input Validation.

  • CVE-2020-6188Feb 12, 2020
    risk 0.00cvss epss 0.01

    VAT Pro-Rata reports in SAP ERP (SAP_APPL versions 600, 602, 603, 604, 605, 606, 616 and SAP_FIN versions 617, 618, 700, 720, 730) and SAP S/4 HANA (versions 100, 101, 102, 103, 104) do not perform necessary authorization checks for an authenticated user leading to Missing…

  • CVE-2020-6190Feb 12, 2020
    risk 0.00cvss epss 0.01

    Certain vulnerable endpoints in SAP NetWeaver AS Java (Heap Dump Application), versions 7.30, 7.31, 7.40, 7.50, provide valuable information about the system like hostname, server node and installation path that could be misused by an attacker leading to Information Disclosure.

  • CVE-2020-6189Feb 12, 2020
    risk 0.00cvss epss 0.01

    Certain settings page(s) in SAP Business Objects Business Intelligence Platform (CMC), version 4.2, generates error messages that can give enterprise private-network related information which would otherwise be restricted leading to Information Disclosure.

  • CVE-2020-6187Feb 12, 2020
    risk 0.00cvss epss 0.01

    SAP NetWeaver (Guided Procedures), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently validate an XML document input from a compromised admin, leading to Denial of Service.

  • CVE-2020-6177Feb 12, 2020
    risk 0.00cvss epss 0.01

    SAP Mobile Platform, version 3.0, does not sufficiently validate an XML document accepted from an untrusted source which could lead to partial denial of service. Since SAP Mobile Platform does not allow External-Entity resolving, there is no issue of leaking content of files on…

  • CVE-2020-6192Feb 12, 2020
    risk 0.00cvss epss 0.02

    SAP Landscape Management, version 3.0, allows an attacker with admin privileges to execute malicious commands with root privileges in SAP Host Agent via SAP Landscape Management.

  • CVE-2020-6193Feb 12, 2020
    risk 0.00cvss epss 0.01

    SAP NetWeaver (Knowledge Management ICE Service), versions 7.30, 7.31, 7.40, 7.50, allows an unauthenticated attacker to execute malicious scripts leading to Reflected Cross-Site Scripting (XSS) vulnerability.

  • CVE-2011-1517Feb 5, 2020
    risk 0.00cvss epss 0.04

    SAP NetWeaver 7.0 allows Remote Code Execution and Denial of Service caused by an error in the DiagTraceHex() function. By sending a specially-crafted packet, an attacker could exploit this vulnerability to cause the application to crash.

  • CVE-2013-1593Jan 23, 2020
    risk 0.00cvss epss 0.02

    A Denial of Service vulnerability exists in the WRITE_C function in the msg_server.exe module in SAP NetWeaver 2004s, 7.01 SR1, 7.02 SP06, and 7.30 SP04 when sending a crafted SAP Message Server packet to TCP ports 36NN and/or 39NN.

  • CVE-2020-6306Jan 14, 2020
    risk 0.00cvss epss 0.01

    Missing authorization check in a transaction within SAP Leasing (update provided in SAP_APPL 6.18, EA-APPL 6.0, 6.02, 6.03, 6.04, 6.05, 6.06, 6.16 and 6.17).

  • CVE-2020-6305Jan 14, 2020
    risk 0.00cvss epss 0.01

    PI Rest Adapter of SAP Process Integration (update provided in SAP_XIAF 7.31, 7.40, 7.50) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

  • CVE-2020-6304Jan 14, 2020
    risk 0.00cvss epss 0.01

    Improper input validation in SAP NetWeaver Internet Communication Manager (update provided in KRNL32NUC & KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT KRNL64NUC & KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49 KERNEL 7.21, 7.49, 7.53) allows an attacker to prevent users from accessing its…

  • CVE-2020-6307Jan 14, 2020
    risk 0.00cvss epss 0.01

    Automated Note Search Tool (update provided in SAP Basis 7.0, 7.01, 7.02, 7.31, 7.4, 7.5, 7.51, 7.52, 7.53 and 7.54) does not perform sufficient authorization checks leading to the reading of sensitive information.

  • CVE-2019-20155Jan 5, 2020
    risk 0.00cvss epss 0.02

    An issue was discovered in report_edit.jsp in Determine (formerly Selectica) Contract Lifecycle Management (CLM) v5.4. Any authenticated user may execute Groovy code when generating a report, resulting in arbitrary code execution on the underlying server.

  • CVE-2019-20154Jan 5, 2020
    risk 0.00cvss epss 0.01

    An issue was discovered in Determine (formerly Selectica) Contract Lifecycle Management (CLM) v5.4. A cross-site scripting (XSS) vulnerability in multiple getchart.jsp parameters allows remote attackers to inject arbitrary web script or HTML.

  • CVE-2019-20153Jan 5, 2020
    risk 0.00cvss epss 0.01

    An issue was discovered in Determine (formerly Selectica) Contract Lifecycle Management (CLM) in v5.4. An XML external entity (XXE) vulnerability in the upload definition feature in definition_upload_attach.jsp allows authenticated remote attackers to read arbitrary files…

  • CVE-2019-0384Dec 17, 2019
    risk 0.00cvss epss 0.01

    Transaction Management in SAP Treasury and Risk Management (corrected in S4CORE versions 1.01, 1.02, 1.03, 1.04 and EA-FINSERV versions 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0) does not perform necessary authorization checks for functionalities that require user…

  • CVE-2019-0383Dec 17, 2019
    risk 0.00cvss epss 0.01

    Transaction Management in SAP Treasury and Risk Management (corrected in S4CORE versions 1.01, 1.02, 1.03, 1.04 and EA-FINSERV versions 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0) does not perform necessary authorization checks for an authenticated user, resulting in…

  • CVE-2019-0405Dec 11, 2019
    risk 0.00cvss epss 0.01

    SAP Enable Now, before version 1911, leaks information about the existence of a particular user which can be used to construct a list of users, leading to a user enumeration vulnerability and Information Disclosure.

  • CVE-2019-0404Dec 11, 2019
    risk 0.00cvss epss 0.01

    SAP Enable Now, before version 1911, leaks information about network configuration in the server error messages, leading to Information Disclosure.

  • CVE-2019-0403Dec 11, 2019
    risk 0.00cvss epss 0.02

    SAP Enable Now, before version 1911, allows an attacker to input commands into the CSV files, which will be executed when opened, leading to CSV Command Injection.

  • CVE-2019-0398Dec 11, 2019
    risk 0.00cvss epss 0.00

    Due to insufficient CSRF protection, SAP BusinessObjects Business Intelligence Platform (Monitoring Application), before versions 4.1, 4.2 and 4.3, may lead to an authenticated user to send unintended request to the web server, leading to Cross Site Request Forgery.

  • CVE-2019-0395Dec 11, 2019
    risk 0.00cvss epss 0.01

    SAP BusinessObjects Business Intelligence Platform (Fiori BI Launchpad), before version 4.2, allows execution of JavaScript in a text module in Fiori BI Launchpad, leading to Stored Cross Site Scripting vulnerability.

Page 29 of 37