VYPR

Vendor CVEs

SAP

All CVEs

1,818 total · sorted by risk
  • CVE-2019-0247Jan 8, 2019
    risk 0.00cvss epss 0.01

    SAP Cloud Connector, before version 2.11.3, allows an attacker to inject code that can be executed by the application. An attacker could thereby control the behavior of the application.

  • CVE-2019-0245Jan 8, 2019
    risk 0.00cvss epss 0.01

    SAP CRM WebClient UI (fixed in SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

  • CVE-2019-0243Jan 8, 2019
    risk 0.00cvss epss 0.02

    Under some circumstances, masterdata maintenance in SAP BW/4HANA (fixed in DW4CORE version 1.0 (SP08)) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.

  • CVE-2019-0246Jan 8, 2019
    risk 0.00cvss epss 0.03

    SAP Cloud Connector, before version 2.11.3, does not perform any authentication checks for functionalities that require user identity.

  • CVE-2019-0249Jan 8, 2019
    risk 0.00cvss epss 0.02

    Under certain conditions SAP Landscape Management (VCM 3.0) allows an attacker to access information which would otherwise be restricted.

  • CVE-2018-2492Dec 11, 2018
    risk 0.00cvss epss 0.01

    SAML 2.0 functionality in SAP NetWeaver AS Java, does not sufficiently validate XML documents received from an untrusted source. This is fixed in versions 7.2, 7.30, 7.31, 7.40 and 7.50.

  • CVE-2018-2486Dec 11, 2018
    risk 0.00cvss epss 0.01

    SAP Marketing (UICUAN (1.20, 1.30, 1.40), SAPSCORE (1.13, 1.14)) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

  • CVE-2018-2494Dec 11, 2018
    risk 0.00cvss epss 0.01

    Necessary authorization checks for an authenticated user, resulting in escalation of privileges, have been fixed in SAP Basis AS ABAP of SAP NetWeaver 700 to 750, from 750 onwards delivered as ABAP Platform.

  • CVE-2018-2502Dec 11, 2018
    risk 0.00cvss epss 0.01

    TRACE method is enabled in SAP Business One Service Layer . Attacker can use XST (Cross Site Tracing) attack if frontend applications that are using Service Layer has a XSS vulnerability. This has been fixed in SAP Business One Service Layer (B1_ON_HANA, versions 9.2, 9.3).

  • CVE-2018-2500Dec 11, 2018
    risk 0.00cvss epss 0.00

    Under certain conditions SAP Mobile Secure Android client (before version 6.60.19942.0 SP28 1711) allows an attacker to access information which would otherwise be restricted.

  • CVE-2018-2497Dec 11, 2018
    risk 0.00cvss epss 0.01

    The security audit log of SAP HANA, versions 1.0 and 2.0, does not log SELECT events if these events are part of a statement with the syntax CREATE TABLE <table_name> AS SELECT.

  • CVE-2018-2504Dec 11, 2018
    risk 0.00cvss epss 0.01

    SAP NetWeaver AS Java Web Container service does not validate against whitelist the HTTP host header which can result in HTTP Host Header Manipulation or Cross-Site Scripting (XSS) vulnerability. This is fixed in versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50.

  • CVE-2018-2503Dec 11, 2018
    risk 0.00cvss epss 0.01

    By default, the SAP NetWeaver AS Java keystore service does not sufficiently restrict the access to resources that should be protected. This has been fixed in SAP NetWeaver AS Java (ServerCore versions 7.11, 7.20, 7.30, 7.31, 7.40, 7.50).

  • CVE-2018-2505Dec 11, 2018
    risk 0.00cvss epss 0.01

    SAP Commerce does not sufficiently validate user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability in storefronts that are based on the product. Fixed in versions (SAP Hybris Commerce, versions 6.2, 6.3, 6.4, 6.5, 6.6, 6.7).

  • CVE-2018-2483Nov 13, 2018
    risk 0.00cvss epss 0.01

    HTTP Verb Tampering is possible in SAP BusinessObjects Business Intelligence Platform, versions 4.1 and 4.2, Central Management Console (CMC) by changing request method.

  • CVE-2018-2485Nov 13, 2018
    risk 0.00cvss epss 0.01

    It is possible for a malicious application or malware to execute JavaScript in a SAP Fiori application. This can include reading and writing of information and calling device specific JavaScript APIs in the application. SAP Fiori Client version 1.11.5 in Google Play store…

  • CVE-2018-2482Nov 13, 2018
    risk 0.00cvss epss 0.02

    SAP Mobile Secure Android Application, Mobile-secure.apk Android client, before version 6.60.19942.0, allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service. Install the Mobile Secure Android client released in Mid-Oct…

  • CVE-2018-2479Nov 13, 2018
    risk 0.00cvss epss 0.01

    SAP BusinessObjects Business Intelligence Platform (BIWorkspace), versions 4.1 and 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

  • CVE-2018-2473Nov 13, 2018
    risk 0.00cvss epss 0.02

    SAP BusinessObjects Business Intelligence Platform Server, versions 4.1 and 4.2, when using Web Intelligence Richclient 3 tiers mode gateway allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service.

  • CVE-2018-2491Nov 13, 2018
    risk 0.00cvss epss 0.01

    When opening a deep link URL in SAP Fiori Client with log level set to "Debug", the client application logs the URL to the log file. If this URL contains malicious JavaScript code it can eventually run inside the built-in log viewer of the application in case user opens the…

  • CVE-2018-2481Nov 13, 2018
    risk 0.00cvss epss 0.01

    In some SAP standard roles, in SAP_ABA versions, 7.00 to 7.02, 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50, 75C to 75D, a transaction code reserved for customer is used. By implementing such transaction code a malicious user may execute unauthorized transaction functionality.

  • CVE-2018-2488Nov 13, 2018
    risk 0.00cvss epss 0.01

    It is possible for a malware application installed on an Android device to send local push notifications with an empty message to SAP Fiori Client and cause the application to crash. SAP Fiori Client version 1.11.5 in Google Play store addresses these issues and users must…

  • CVE-2018-2490Nov 13, 2018
    risk 0.00cvss epss 0.01

    The broadcast messages received by SAP Fiori Client are not protected by permissions. SAP Fiori Client version 1.11.5 in Google Play store addresses these issues and users must update to that version.

  • CVE-2018-2489Nov 13, 2018
    risk 0.00cvss epss 0.01

    Locally, without any permission, an arbitrary android application could delete the SSO configuration of SAP Fiori Client. SAP Fiori Client version 1.11.5 in Google Play store addresses these issues and users must update to that version.

  • CVE-2018-2476Nov 13, 2018
    risk 0.00cvss epss 0.01

    Due to insufficient URL Validation in forums in SAP NetWeaver versions 7.30, 7.31, 7.40, an attacker can redirect users to a malicious site.

  • CVE-2018-2478Nov 13, 2018
    risk 0.00cvss epss 0.02

    An attacker can use specially crafted inputs to execute commands on the host of a TREX / BWA installation, SAP Basis, versions: 7.0 to 7.02, 7.10 to 7.11, 7.30, 7.31, 7.40 and 7.50 to 7.53. Not all commands are possible, only those that can be executed by the adm user. The…

  • CVE-2018-2477Nov 13, 2018
    risk 0.00cvss epss 0.02

    Knowledge Management (XMLForms) in SAP NetWeaver, versions 7.30, 7.31, 7.40 and 7.50 does not sufficiently validate an XML document accepted from an untrusted source.

  • CVE-2015-8600Dec 17, 2015
    risk 0.00cvss epss 0.01

    The SysAdminWebTool servlets in SAP Mobile Platform allow remote attackers to bypass authentication and obtain sensitive information, gain privileges, or have unspecified other impact via unknown vectors, aka SAP Security Note 2227855.

  • CVE-2015-8330Nov 24, 2015
    risk 0.00cvss epss 0.03

    The PCo agent in SAP Plant Connectivity (PCo) allows remote attackers to cause a denial of service (memory corruption and agent crash) via crafted xMII requests, aka SAP Security Note 2238619.

  • CVE-2015-8329Nov 24, 2015
    risk 0.00cvss epss 0.01

    SAP Manufacturing Integration and Intelligence (aka MII, formerly xMII) uses weak encryption (Base64 and DES), which allows attackers to conduct downgrade attacks and decrypt passwords via unspecified vectors, aka SAP Security Note 2240274.

  • CVE-2015-7994Nov 10, 2015
    risk 0.00cvss epss 0.03

    The SQL interface in SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allows remote attackers to execute arbitrary code via unspecified vectors related to "SQL Login," aka SAP Security Note 2197428.

  • CVE-2015-7993Nov 10, 2015
    risk 0.00cvss epss 0.04

    The Extended Application Services (aka XS or XS Engine) in SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allows remote attackers to execute arbitrary code via unspecified vectors related to "HTTP Login," aka SAP Security Note 2197397.

  • CVE-2015-7992Nov 10, 2015
    risk 0.00cvss epss 0.02

    SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allows remote authenticated users to cause a denial of service (memory corruption and indexserver crash) via unspecified vectors to the EXECUTE_SEARCH_RULE_SET stored procedure, aka SAP Security Note 2175928.

  • CVE-2015-7991Nov 10, 2015
    risk 0.00cvss epss 0.02

    The Web Dispatcher service in SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allows remote attackers to read web dispatcher and security trace files and possibly obtain passwords via unspecified vectors, aka SAP Security Note 2148854.

  • CVE-2015-8030Oct 30, 2015
    risk 0.00cvss epss 0.04

    SAP 3D Visual Enterprise Viewer (VEV) allows remote attackers to execute arbitrary code via a crafted (1) U3D, (2) LWO, (3) JPEG2000, or (4) FBX file, aka "Out-Of-Bounds Indexing" vulnerabilities.

  • CVE-2015-8029Oct 30, 2015
    risk 0.00cvss epss 0.03

    SAP 3D Visual Enterprise Viewer (VEV) allows remote attackers to execute arbitrary code via a crafted Filmbox document, which triggers memory corruption.

  • CVE-2015-8028Oct 30, 2015
    risk 0.00cvss epss 0.04

    Multiple buffer overflows in SAP 3D Visual Enterprise Viewer (VEV) allow remote attackers to execute arbitrary code via a crafted (1) 3DM or (2) Flic Animation file.

  • CVE-2015-7730Oct 15, 2015
    risk 0.00cvss epss 0.04

    SAP BusinessObjects BI Platform 4.1, BusinessObjects Edge 4.0, and BusinessObjects XI (BOXI) 3.1 R3 allow remote attackers to cause a denial of service (out-of-bounds read and listener crash) via a crafted GIOP packet, aka SAP Security Note 2001108.

  • CVE-2015-7729Oct 15, 2015
    risk 0.00cvss epss 0.01

    Eval injection in test-net.xsjs in the Web-based Development Workbench in SAP HANA Developer Edition DB 1.00.091.00.1418659308 allows remote authenticated users to execute arbitrary XSJS code via unspecified vectors, aka SAP Security Note 2153892.

  • CVE-2015-7728Oct 15, 2015
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in user creation in the Web-based Development Workbench in SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allows remote authenticated users to inject arbitrary web script or HTML via the username, aka SAP Security Note 2153898.

  • CVE-2015-7727Oct 15, 2015
    risk 0.00cvss epss 0.01

    Multiple SQL injection vulnerabilities in the Web-based Development Workbench in SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allow remote authenticated users to execute arbitrary SQL commands via unspecified vectors in the (1) trace configuration page or (2)…

  • CVE-2015-7726Oct 15, 2015
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in role deletion in the Web-based Development Workbench in SAP HANA DB 1.00.091.00.1418659308 allows remote authenticated users to inject arbitrary web script or HTML via the role name, aka SAP Security Note 2153898.

  • CVE-2015-7725Oct 15, 2015
    risk 0.00cvss epss 0.02

    Multiple SQL injection vulnerabilities in the Web-based Development Workbench in SAP HANA DB 1.00.091.00.1418659308 allow remote authenticated users to execute arbitrary SQL commands via the (1) remoteSourceName in the dropCredentials function or unspecified vectors in the (2)…

  • CVE-2015-6507Oct 15, 2015
    risk 0.00cvss epss 0.00

    The hdbsql client 1.00.091.00 Build 1418659308-1530 in SAP HANA allows local users to cause a denial of service (memory corruption) and possibly have unspecified other impact via unknown vectors, aka SAP Security Note 2140700.

  • CVE-2015-7239Sep 18, 2015
    risk 0.00cvss epss 0.02

    SQL injection vulnerability in the BP_FIND_JOBS_WITH_PROGRAM function module in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

  • CVE-2015-6664Aug 24, 2015
    risk 0.00cvss epss 0.02

    XML external entity (XXE) vulnerability in the application import functionality in SAP Mobile Platform 2.3 allows remote attackers to read arbitrary files and possibly have other unspecified impact via crafted XML data, aka SAP Security Note 2152227.

  • CVE-2015-6663Aug 24, 2015
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in the Client form in the Device Inspector page in SAP Afaria 7 allows remote attackers to inject arbitrary web script or HTML via crafted client name data, aka SAP Security Note 2152669.

  • CVE-2015-6662Aug 24, 2015
    risk 0.00cvss epss 0.02

    XML external entity (XXE) vulnerability in SAP NetWeaver Portal 7.4 allows remote attackers to read arbitrary files and possibly have other unspecified impact via crafted XML data, aka SAP Security Note 2168485.

  • CVE-2015-3621Jul 16, 2015
    risk 0.00cvss epss 0.02

    Untrusted search path vulnerability in SAP Enterprise Central Component (ECC) allows local users to gain privileges via a Trojan horse program.

  • CVE-2015-3449Jul 16, 2015
    risk 0.00cvss epss 0.01

    The Windows client in SAP Afaria 7.0.6398.0 uses weak permissions (Everyone: read and Everyone: write) for the install folder, which allows local users to gain privileges via a Trojan horse XeService.exe file.

Page 32 of 37