VYPR

Vendor CVEs

SAP

All CVEs

1,818 total · sorted by risk
  • CVE-2025-42938MedSep 9, 2025
    risk 0.40cvss 6.1epss 0.00

    Due to a Cross-Site Scripting (XSS) vulnerability in the SAP NetWeaver ABAP Platform, an unauthenticated attacker could generate a malicious link and make it publicly accessible. If an authenticated user clicks on this link, the injected input is processed during the website�s…

  • CVE-2025-42975MedAug 12, 2025
    risk 0.40cvss 6.1epss 0.00

    SAP NetWeaver Application Server ABAP (BIC Document) allows an unauthenticated attacker to craft a URL link which, when accessed on the BIC Document application, embeds a malicious script. When a victim clicks on this link, the script executes in the victim's browser, allowing…

  • CVE-2025-42948MedAug 12, 2025
    risk 0.40cvss 6.1epss 0.00

    Due to a Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver ABAP Platform, an unauthenticated attacker could generate a malicious link and make it publicly accessible. If an authenticated user clicks on this link, the injected input is processed during the website�s…

  • CVE-2025-42945MedAug 12, 2025
    risk 0.40cvss 6.1epss 0.00

    SAP NetWeaver Application Server ABAP has HTML injection vulnerability. Due to this, an attacker could craft a URL with malicious script as payload and trick a victim with active user session into executing it. Upon successful exploit, this vulnerability could lead to limited…

  • CVE-2025-42942MedAug 12, 2025
    risk 0.40cvss 6.1epss 0.00

    SAP NetWeaver Application Server for ABAP has cross-site scripting vulnerability. Due to this, an unauthenticated attacker could craft a URL embedded with malicious script and trick an unauthenticated victim to click on it to execute the script. Upon successful exploitation, the…

  • CVE-2025-42985MedJul 8, 2025
    risk 0.40cvss 6.1epss 0.00

    Due to insufficient sanitization in the SAP BusinessObjects Content Administrator Workbench, attackers could craft malicious URLs and execute scripts in a victim�s browser. This could potentially lead to the exposure or modification of web client data, resulting in low impact…

  • CVE-2025-42981MedJul 8, 2025
    risk 0.40cvss 6.1epss 0.00

    Due to an open redirect vulnerability in SAP NetWeaver Application Server ABAP, an unauthenticated attacker could craft a URL link embedding a malicious script at a location not properly sanitized. When a victim clicks on this link, the script executes within the victim's…

  • CVE-2025-42969MedJul 8, 2025
    risk 0.40cvss 6.1epss 0.00

    SAP NetWeaver Application Server ABAP and ABAP Platform allows an unauthenticated attacker to inject a malicious script into a dynamically crafted URL. The victim, when tricked into clicking on this crafted URL unknowingly executes the malicious payload in their browser. On…

  • CVE-2025-42962MedJul 8, 2025
    risk 0.40cvss 6.1epss 0.00

    SAP Business Warehouse (Business Explorer Web) allows an attacker to create a malicious link. If an authenticated user clicks on this link, the injected script gets executed within the scope of victim�s browser. This potentially leads to an impact on confidentiality and…

  • CVE-2025-43006MedMay 13, 2025
    risk 0.40cvss 6.1epss 0.00

    SAP Supplier Relationship Management (Master Data Management Catalogue) allows an unauthenticated attacker to execute malicious scripts in the application, potentially leading to a Cross-Site Scripting (XSS) vulnerability. This has no impact on the availability of the…

  • CVE-2025-31329MedMay 13, 2025
    risk 0.40cvss 6.2epss 0.00

    SAP NetWeaver is vulnerable to an Information Disclosure vulnerability caused by the injection of malicious instructions into user configuration settings. An attacker with administrative privileges can craft these instructions so that when accessed by the victim, sensitive…

  • CVE-2025-26659MedMar 11, 2025
    risk 0.40cvss 6.1epss 0.00

    SAP NetWeaver Application Server ABAP does not sufficiently encode user-controlled inputs, leading to DOM-basedCross-Site Scripting (XSS) vulnerability. This allows an attacker with no privileges, to craft a malicious web message that exploits WEBGUI functionality. On successful…

  • CVE-2025-25242MedMar 11, 2025
    risk 0.40cvss 6.1epss 0.00

    SAP NetWeaver Application Server ABAP allows malicious scripts to be executed in the application, potentially leading to a Cross-Site Scripting (XSS) vulnerability. This has no impact on the availability of the application, but it can have some minor impact on its…

  • CVE-2025-24867MedFeb 11, 2025
    risk 0.40cvss 6.1epss 0.00

    SAP BusinessObjects Platform (BI Launchpad) does not sufficiently handle user input, resulting in Cross-Site Scripting (XSS) vulnerability. The application allows an unauthenticated attacker to craft a URL that embeds a malicious script within an unprotected parameter. When a…

  • CVE-2024-45279MedSep 10, 2024
    risk 0.40cvss 6.1epss 0.00

    Due to insufficient input validation, CRM Blueprint Application Builder Panel of SAP NetWeaver Application Server for ABAP allows an unauthenticated attacker to craft a URL link which could embed a malicious JavaScript. When a victim clicks on this link, the script will be…

  • CVE-2024-42378MedSep 10, 2024
    risk 0.40cvss 6.1epss 0.00

    Due to weak encoding of user-controlled inputs, eProcurement on SAP S/4HANA allows malicious scripts to be executed in the application, potentially leading to a Reflected Cross-Site Scripting (XSS) vulnerability. This has no impact on the availability of the application, but it…

  • CVE-2024-33002MedMay 14, 2024
    risk 0.40cvss 6.1epss 0.00

    Document Service handler (obsolete) in Data Provisioning Service does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability with low impact on Confidentiality and Integrity of the application.

  • CVE-2024-32733MedMay 14, 2024
    risk 0.40cvss 6.1epss 0.00

    Due to missing input validation and output encoding of untrusted data, SAP NetWeaver Application Server ABAP and ABAP Platform allows an unauthenticated attacker to inject malicious JavaScript code into the dynamically crafted web page. On successful exploitation the attacker…

  • CVE-2018-2472MedOct 9, 2018
    risk 0.40cvss 6.1epss 0.01

    SAP BusinessObjects Business Intelligence Platform 4.10 and 4.20 (Web Intelligence DHTML client) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

  • CVE-2018-2470MedOct 9, 2018
    risk 0.40cvss 6.1epss 0.01

    In SAP NetWeaver Application Server for ABAP, from 7.0 to 7.02, 7.30, 7.31, 7.40 and from 7.50 to 7.53, applications do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

  • CVE-2018-2464MedSep 11, 2018
    risk 0.40cvss 6.1epss 0.01

    SAP WebDynpro Java, versions 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs, resulting in a stored Cross-Site Scripting (XSS) vulnerability.

  • CVE-2018-2452MedSep 11, 2018
    risk 0.40cvss 6.1epss 0.01

    The logon application of SAP NetWeaver AS Java 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 does not sufficiently encode user-controlled inputs, resulting in a cross-site scripting (XSS) vulnerability.

  • CVE-2018-2444MedAug 14, 2018
    risk 0.40cvss 6.1epss 0.01

    SAP BusinessObjects Financial Consolidation, versions 10.0, 10.1, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

  • CVE-2018-2435MedJul 10, 2018
    risk 0.40cvss 6.1epss 0.01

    SAP NetWeaver Enterprise Portal from 7.0 to 7.02, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

  • CVE-2018-2431MedJul 10, 2018
    risk 0.40cvss 6.1epss 0.01

    SAP BusinessObjects Business Intelligence Suite, versions 4.10 and 4.20, does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

  • CVE-2018-2399MedMar 14, 2018
    risk 0.40cvss 6.1epss 0.01

    Cross-Site Scripting in Process Monitoring Infrastructure, from 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, due to inefficient encoding of user controlled inputs.

  • CVE-2018-2365MedMar 1, 2018
    risk 0.40cvss 6.1epss 0.01

    SAP NetWeaver Portal, WebDynpro Java, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

  • CVE-2018-2388MedFeb 14, 2018
    risk 0.40cvss 6.1epss 0.01

    Stored cross-site scripting vulnerability in SAP internet Graphics Server, 7.20, 7.20EXT, 7.45, 7.49, 7.53.

  • CVE-2018-2383MedFeb 14, 2018
    risk 0.40cvss 6.1epss 0.01

    Reflected cross-site scripting vulnerability in SAP internet Graphics Server, 7.20, 7.20EXT, 7.45, 7.49, 7.53.

  • CVE-2018-2371MedFeb 14, 2018
    risk 0.40cvss 6.1epss 0.01

    The SAML 2.0 service provider of SAP Netweaver AS Java Web Application, 7.50, does not sufficiently encode user controlled inputs, which results in Cross-Site Scripting (XSS) vulnerability.

  • CVE-2018-2364MedFeb 14, 2018
    risk 0.40cvss 6.1epss 0.01

    SAP CRM WebClient UI 7.01, 7.31, 7.46, 7.47, 7.48, 8.00, 8.01, S4FND 1.02, does not sufficiently validate and/or encode hidden fields, resulting in Cross-Site Scripting (XSS) vulnerability.

  • CVE-2017-16685MedDec 12, 2017
    risk 0.40cvss 6.1epss 0.01

    Cross-Site scripting (XSS) in SAP Business Warehouse Universal Data Integration, from 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, due to insufficient encoding of user controlled inputs.

  • CVE-2017-16681MedDec 12, 2017
    risk 0.40cvss 6.1epss 0.01

    Cross-Site Scripting (XSS) vulnerability in SAP Business Intelligence Promotion Management Application, Enterprise 4.10, 4.20, 4.30, as user controlled inputs are not sufficiently encoded.

  • CVE-2017-16679MedDec 12, 2017
    risk 0.40cvss 6.1epss 0.01

    URL redirection vulnerability in SAP's Startup Service, SAP KERNEL 32 NUC, SAP KERNEL 32 Unicode, SAP KERNEL 64 NUC, SAP KERNEL 64 Unicode 7.21, 7.21EXT, 7.22 and 7.22EXT; SAP KERNEL 7.21, 7.22, 7.45, 7.49 and 7.52, that allows an attacker to redirect users to a malicious site.

  • CVE-2017-14516MedDec 3, 2017
    risk 0.40cvss 6.1epss 0.01

    Cross-Site Scripting (XSS) exists in SAP Business Objects Financial Consolidation before 2017-06-13, aka SAP Security Note 2422292.

  • CVE-2017-15294MedOct 16, 2017
    risk 0.40cvss 6.1epss 0.01

    The Java administration console in SAP CRM has XSS. This is SAP Security Note 2478964.

  • CVE-2017-10701MedSep 29, 2017
    risk 0.40cvss 6.1epss 0.01

    Cross site scripting (XSS) vulnerability in SAP Enterprise Portal 7.50 allows remote attackers to inject arbitrary web script or HTML, aka SAP Security Notes 2469860, 2471209, and 2488516.

  • CVE-2017-11460MedJul 25, 2017
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in the DataArchivingService servlet in SAP NetWeaver Portal 7.4 allows remote attackers to inject arbitrary web script or HTML via the responsecode parameter to shp/shp_result.jsp, aka SAP Security Note 2308535.

  • CVE-2017-11458MedJul 25, 2017
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in the ctcprotocol/Protocol servlet in SAP NetWeaver AS JAVA 7.3 allows remote attackers to inject arbitrary web script or HTML via the sessionID parameter, aka SAP Security Note 2406783.

  • CVE-2016-6856MedDec 31, 2016
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in the Inbox Search feature in Hybris Management Console (HMC) in SAP Hybris before 6.0 allows remote attackers to inject arbitrary web script or HTML via the itemsperpage parameter.

  • CVE-2016-4016MedApr 14, 2016
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in SAP Manufacturing Integration and Intelligence (aka MII, formerly xMII) 15 allows remote attackers to inject arbitrary web script or HTML via the title parameter to webdynpro/resources/sap.com/xapps~xmii~ui~admin~navigation/NavigationAp…

  • CVE-2016-3975MedApr 7, 2016
    risk 0.40cvss 6.1epss 0.02

    Cross-site scripting (XSS) vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 allows remote attackers to inject arbitrary web script or HTML via the navigationTarget parameter to irj/servlet/prt/portal/prteventname/XXX/prtroot/com.sapportals.navigation.testComponent.Navigatio…

  • CVE-2016-2387MedFeb 16, 2016
    risk 0.40cvss 6.1epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in the Java Proxy Runtime ProxyServer servlet in SAP NetWeaver 7.4 allow remote attackers to inject arbitrary web script or HTML via the (1) ns or (2) interface parameter to ProxyServer/register, aka SAP Security Note 2220571.

  • CVE-2016-1911MedJan 15, 2016
    risk 0.40cvss 6.1epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in SAP NetWeaver 7.4 allow remote attackers to inject arbitrary web script or HTML via vectors related to the (1) Runtime Workbench (RWB) or (2) Pmitest servlet in the Process Monitoring Infrastructure (PMI), aka SAP Security…

  • CVE-2025-24870MedFeb 11, 2025
    risk 0.39cvss 6.0epss 0.00

    SAP GUI for Windows & RFC service credentials are incorrectly stored in the memory of the program allowing an unauthenticated attacker to access information within systems, resulting in privilege escalation. On successful exploitation, this could result in disclosure of highly…

  • CVE-2025-0059MedJan 14, 2025
    risk 0.39cvss 6.0epss 0.00

    Applications based on SAP GUI for HTML in SAP NetWeaver Application Server ABAP store user input in the local browser storage to improve usability. An attacker with administrative privileges or access to the victim�s user directory on the Operating System level would be able…

  • CVE-2025-0056MedJan 14, 2025
    risk 0.39cvss 6.0epss 0.00

    SAP GUI for Java saves user input on the client PC to improve usability. An attacker with administrative privileges or access to the victim�s user directory on the Operating System level would be able to read this data. Depending on the user input provided in transactions, the…

  • CVE-2025-0055MedJan 14, 2025
    risk 0.39cvss 6.0epss 0.00

    SAP GUI for Windows stores user input on the client PC to improve usability. Under very specific circumstances an attacker with administrative privileges or access to the victim�s user directory on the Operating System level would be able to read this data. Depending on the…

  • CVE-2024-45283MedSep 10, 2024
    risk 0.39cvss 6.0epss 0.00

    SAP NetWeaver AS for Java allows an authorized attacker to obtain sensitive information. The attacker could obtain the username and password when creating an RFC destination. After successful exploitation, an attacker can read the sensitive information but cannot modify or…

  • CVE-2016-5845MedAug 13, 2016
    risk 0.39cvss 5.5epss 0.03

    SAP SAPCAR does not check the return value of file operations when extracting files, which allows remote attackers to cause a denial of service (program crash) via an invalid file name in an archive file, aka SAP Security Note 2312905.

Page 6 of 37