VYPR

Vendor CVEs

SAP

All CVEs

1,818 total · sorted by risk
  • CVE-2014-8660Nov 6, 2014
    risk 0.00cvss epss 0.00

    SAP Document Management Services allows local users to execute arbitrary commands via unspecified vectors.

  • CVE-2014-8659Nov 6, 2014
    risk 0.00cvss epss 0.02

    Directory traversal vulnerability in SAP Environment, Health, and Safety allows remote attackers to read arbitrary files via unspecified vectors.

  • CVE-2014-8592Nov 4, 2014
    risk 0.00cvss epss 0.02

    Unspecified vulnerability in SAP Host Agent, as used in SAP NetWeaver 7.02 and 7.3, allows remote attackers to cause a denial of service (process termination) via a crafted request.

  • CVE-2014-8591Nov 4, 2014
    risk 0.00cvss epss 0.02

    Unspecified vulnerability in SAP Internet Communication Manager (ICM), as used in SAP NetWeaver 7.02 and 7.3, allows remote attackers to cause a denial of service (process termination) via unknown vectors.

  • CVE-2014-8590Nov 4, 2014
    risk 0.00cvss epss 0.02

    XML external entity (XXE) vulnerability in the Web Service Navigator in SAP NetWeaver Application Server (AS) Java allows remote attackers to access arbitrary files via a crafted request.

  • CVE-2014-8589Nov 4, 2014
    risk 0.00cvss epss 0.02

    Integer overflow in SAP Network Interface Router (SAProuter) 40.4 allows remote attackers to cause a denial of service (resource consumption) via crafted requests.

  • CVE-2014-8588Nov 4, 2014
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in metadata.xsjs in SAP HANA 1.00.60.379371 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

  • CVE-2014-8587Nov 4, 2014
    risk 0.00cvss epss 0.01

    SAPCRYPTOLIB before 5.555.38, SAPSECULIB, and CommonCryptoLib before 8.4.30, as used in SAP NetWeaver AS for ABAP and SAP HANA, allows remote attackers to spoof Digital Signature Algorithm (DSA) signatures via unspecified vectors.

  • CVE-2014-6283Oct 17, 2014
    risk 0.00cvss epss 0.01

    SAP Adaptive Server Enterprise (ASE) 15.7 before SP122 or SP63, 15.5 before ESD#5.4, and 15.0.3 before ESD#4.4 does not properly restrict access, which allows remote authenticated database users to (1) overwrite the master encryption key or (2) trigger a buffer overflow via a…

  • CVE-2014-8316Oct 16, 2014
    risk 0.00cvss epss 0.03

    XML External Entity (XXE) vulnerability in polestar_xml.jsp in SAP BusinessObjects Explorer 14.0.5 build 882 allows remote attackers to read arbitrary files via the xmlParameter parameter in an explorationSpaceUpdate request.

  • CVE-2014-8315Oct 16, 2014
    risk 0.00cvss epss 0.02

    polestar_xml.jsp in SAP BusinessObjects Explorer 14.0.5 build 882 replies with different timing depending on if a connection can be made, which allows remote attackers to conduct port scanning attacks via a host name and port in the cms parameter.

  • CVE-2014-8314Oct 16, 2014
    risk 0.00cvss epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in SAP HANA Developer Edition Revision 70 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors to (1) epm/admin/DataGen.xsjs or (2) epm/services/multiply.xsjs in the democontent.

  • CVE-2014-8313Oct 16, 2014
    risk 0.00cvss epss 0.02

    Eval injection in ide/core/base/server/net.xsjs in the Developer Workbench in SAP HANA allows remote attackers to execute arbitrary XSJX code via unspecified vectors.

  • CVE-2014-8312Oct 16, 2014
    risk 0.00cvss epss 0.02

    Business Warehouse (BW) in SAP Netweaver AS ABAP 7.31 allows remote authenticated users to obtain sensitive information via a request to the RSDU_CCMS_GET_PROFILE_PARAM RFC function.

  • CVE-2014-8311Oct 16, 2014
    risk 0.00cvss epss 0.02

    SAP BusinessObjects Edge 4.0 allows remote attackers to obtain sensitive information via an InfoStore query to a CORBA listener.

  • CVE-2014-8310Oct 16, 2014
    risk 0.00cvss epss 0.03

    The CMS CORBA listener in SAP BusinessObjects BI Edge 4.0 allows remote attackers to cause a denial of service (server shutdown) via crafted OSCAFactory::Session ORB message.

  • CVE-2014-8309Oct 16, 2014
    risk 0.00cvss epss 0.02

    SAP BusinessObjects 4.0 and BusinessObjects XI (BOXI) R2 and 3.1 generates error messages for a failed logon attempt with different time delays depending on whether the user account exists, which allows remote attackers to enumerate valid usernames via SecEnterprise…

  • CVE-2014-8308Oct 16, 2014
    risk 0.00cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in the Send to Inbox functionality in SAP BusinessObjects BI EDGE 4.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

  • CVE-2014-6252Sep 5, 2014
    risk 0.00cvss epss 0.02

    Buffer overflow in disp+work.exe 7000.52.12.34966 and 7200.117.19.50294 in the Dispatcher in SAP NetWeaver 7.00 and 7.20 allows remote authenticated users to cause a denial of service or execute arbitrary code via unspecified vectors.

  • CVE-2014-5506Sep 4, 2014
    risk 0.00cvss epss 0.03

    Double free vulnerability in SAP Crystal Reports allows remote attackers to execute arbitrary code via crafted connection string record in an RPT file.

  • CVE-2014-5505Sep 4, 2014
    risk 0.00cvss epss 0.04

    Stack-based buffer overflow in SAP Crystal Reports allows remote attackers to execute arbitrary code via a crafted data source string in an RPT file.

  • CVE-2014-5176Jul 31, 2014
    risk 0.00cvss epss 0.02

    SAP FI Manager Self-Service has a hard-coded user name, which makes it easier for remote attackers to obtain access via unspecified vectors.

  • CVE-2014-5175Jul 31, 2014
    risk 0.00cvss epss 0.02

    The License Measurement servlet in SAP Solution Manager 7.1 allows remote attackers to bypass authentication via unspecified vectors, related to a verb tampering attack and SAP_JTECHS.

  • CVE-2014-5174Jul 31, 2014
    risk 0.00cvss epss 0.02

    The SAP Netweaver Business Warehouse component does not properly restrict access to the functions in the BW-SYS-DB-DB4 function group, which allows remote authenticated users to obtain sensitive information via unspecified vectors.

  • CVE-2014-5173Jul 31, 2014
    risk 0.00cvss epss 0.03

    SAP HANA Extend Application Services (XS) allows remote attackers to bypass access restrictions via a request to a private IU5 SDK application that was once public.

  • CVE-2014-5172Jul 31, 2014
    risk 0.00cvss epss 0.03

    Multiple cross-site scripting (XSS) vulnerabilities in the XS Administration Tools in SAP HANA allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

  • CVE-2014-5171Jul 31, 2014
    risk 0.00cvss epss 0.02

    SAP HANA Extend Application Services (XS) does not encrypt transmissions for applications that enable form based authentication using SSL, which allows remote attackers to obtain credentials and other sensitive information by sniffing the network.

  • CVE-2014-4161Jun 13, 2014
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in la/umTestSSO.jsp in SAP Supplier Relationship Management (SRM) allows remote attackers to inject arbitrary web script or HTML via the url parameter.

  • CVE-2014-4160Jun 13, 2014
    risk 0.00cvss epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in the testcanvas node in SAP NetWeaver Business Client (NWBC) allow remote attackers to inject arbitrary web script or HTML via the (1) title or (2) sap-accessibility parameter.

  • CVE-2014-4159Jun 13, 2014
    risk 0.00cvss epss 0.01

    Open redirect vulnerability in in la/umTestSSO.jsp in SAP Supplier Relationship Management (SRM) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter.

  • CVE-2014-4012Jun 9, 2014
    risk 0.00cvss epss 0.01

    SAP Open Hub Service has hardcoded credentials, which makes it easier for remote attackers to obtain access via unspecified vectors.

  • CVE-2014-4011Jun 9, 2014
    risk 0.00cvss epss 0.01

    SAP Capacity Leveling has hardcoded credentials, which makes it easier for remote attackers to obtain access via unspecified vectors.

  • CVE-2014-4010Jun 9, 2014
    risk 0.00cvss epss 0.01

    SAP Transaction Data Pool has hardcoded credentials, which makes it easier for remote attackers to obtain access via unspecified vectors.

  • CVE-2014-4009Jun 9, 2014
    risk 0.00cvss epss 0.01

    SAP CCMS Monitoring (BC-CCM-MON) has hardcoded credentials, which makes it easier for remote attackers to obtain access via unspecified vectors.

  • CVE-2014-4008Jun 9, 2014
    risk 0.00cvss epss 0.01

    SAP Web Services Tool (CA-WUI-WST) has hardcoded credentials, which makes it easier for remote attackers to obtain access via unspecified vectors.

  • CVE-2014-4007Jun 9, 2014
    risk 0.00cvss epss 0.01

    The SAP Upgrade tools for ABAP has hardcoded credentials, which makes it easier for remote attackers to obtain access via unspecified vectors.

  • CVE-2014-4006Jun 9, 2014
    risk 0.00cvss epss 0.01

    The SAP Trader's and Scheduler's Workbench (TSW) for SAP Oil & Gas has hardcoded credentials, which makes it easier for remote attackers to obtain access via unspecified vectors.

  • CVE-2014-4005Jun 9, 2014
    risk 0.00cvss epss 0.01

    SAP Brazil add-on has hardcoded credentials, which makes it easier for remote attackers to obtain access via unspecified vectors.

  • CVE-2014-4004Jun 9, 2014
    risk 0.00cvss epss 0.01

    The (1) Structures and (2) Project-Oriented Procurement components in SAP Project System has hardcoded credentials, which makes it easier for remote attackers to obtain access via unspecified vectors.

  • CVE-2014-4003Jun 9, 2014
    risk 0.00cvss epss 0.03

    The System Landscape Directory (SLD) in SAP NetWeaver allows remote attackers to modify information via vectors related to adding a system.

  • CVE-2014-3787May 19, 2014
    risk 0.00cvss epss 0.01

    SAP NetWeaver 7.20 and earlier allows remote attackers to read arbitrary SAP Central User Administration (SAP CUA) tables via unspecified vectors.

  • CVE-2014-3134Apr 30, 2014
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in the InfoView application in SAP BusinessObjects allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

  • CVE-2014-3133Apr 30, 2014
    risk 0.00cvss epss 0.02

    SAP Netweaver Java Application Server does not properly restrict access, which allows remote attackers to obtain the list of SAP systems registered on an SLD via an unspecified webdynpro, related to SystemSelection.

  • CVE-2014-3132Apr 30, 2014
    risk 0.00cvss epss 0.01

    SAP Background Processing does not properly restrict access, which allows remote authenticated users to obtain sensitive information via an unspecified RFC function, related to SAP Solution Manager 7.1.

  • CVE-2014-3131Apr 30, 2014
    risk 0.00cvss epss 0.01

    SAP Profile Maintenance does not properly restrict access, which allows remote authenticated users to obtain sensitive information via an unspecified RFC function, related to SAP Solution Manager 7.1.

  • CVE-2014-3130Apr 30, 2014
    risk 0.00cvss epss 0.00

    The ABAP Help documentation and translation tools (BC-DOC-HLP) in Basis in SAP Netweaver ABAP Application Server does not properly restrict access, which allows local users to gain privileges and execute ABAP instructions via crafted help messages.

  • CVE-2014-3129Apr 30, 2014
    risk 0.00cvss epss 0.02

    The Java Server Pages in the Software Lifecycle Manager (SLM) in SAP NetWeaver allows remote attackers to obtain sensitive information via a crafted request, related to SAP Solution Manager 7.1.

  • CVE-2014-2752Apr 10, 2014
    risk 0.00cvss epss 0.02

    SAP Business Object Processing Framework (BOPF) for ABAP has hardcoded credentials, which makes it easier for remote attackers to obtain access via unspecified vectors.

  • CVE-2014-2751Apr 10, 2014
    risk 0.00cvss epss 0.02

    SAP Print and Output Management has hardcoded credentials, which makes it easier for remote attackers to obtain access via unspecified vectors.

  • CVE-2014-2749Apr 10, 2014
    risk 0.00cvss epss 0.02

    The HANA ICM process in SAP HANA allows remote attackers to obtain the platform version, host name, instance number, and possibly other sensitive information via a malformed HTTP GET request.

Page 34 of 37