VYPR

Vendor CVEs

SAP

All CVEs

1,818 total · sorted by risk
  • CVE-2026-23683MedJan 27, 2026
    risk 0.28cvss 4.3epss 0.00

    SAP Fiori App Intercompany Balance Reconciliation does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This has low impact on confidentiality, integrity and availability are not impacted.

  • CVE-2026-0497MedJan 13, 2026
    risk 0.28cvss 4.3epss 0.00

    SAP Product Designer Web UI of Business Server Pages allows authenticated non-administrative users to access non-sensitive information. This results in a low impact on confidentiality, with no impact on integrity or availability of the application.

  • CVE-2026-0494MedJan 13, 2026
    risk 0.28cvss 4.3epss 0.00

    Under certain conditions SAP Fiori App Intercompany Balance Reconciliation application allows an attacker to access information which would otherwise be restricted. This has low impact on confidentiality of the application, integrity and availability are not impacted.

  • CVE-2026-0493MedJan 13, 2026
    risk 0.28cvss 4.3epss 0.00

    Due to a Cross-Site Request Forgery (CSRF) vulnerability in SAP Fiori App Intercompany Balance Reconciliation an attacker could execute state?changing actions using an inappropriate request type, this deviation from expected request semantics may allow an attacker to trigger…

  • CVE-2025-42899MedNov 11, 2025
    risk 0.28cvss 4.3epss 0.00

    SAP S4CORE (Manage journal entries) does not perform necessary authorization checks for an authenticated user resulting in escalation of privileges. This has low impact on confidentiality of the application with no impact on integrity and availability of the application.

  • CVE-2025-42882MedNov 11, 2025
    risk 0.28cvss 4.3epss 0.00

    Due to a missing authorization check in SAP NetWeaver Application Server for ABAP, an authenticated attacker with basic privileges could execute a specific function module in ABAP to retrieve restricted technical information from the system. This disclosure of environment…

  • CVE-2025-42939MedOct 14, 2025
    risk 0.28cvss 4.3epss 0.00

    SAP S/4HANA (Manage Processing Rules - For Bank Statements) allows an authenticated attacker with basic privileges to delete conditions from any shared rule of any user by tampering the request parameter. Due to missing authorization check, the attacker can delete shared rule…

  • CVE-2025-42903MedOct 14, 2025
    risk 0.28cvss 4.3epss 0.00

    A vulnerability in SAP Financial Service Claims Management RFC function ICL_USER_GET_NAME_AND_ADDRESS allows user enumeration and potential disclosure of personal data through response discrepancies, causing low impact on confidentiality with no impact on integrity or…

  • CVE-2025-42925MedSep 9, 2025
    risk 0.28cvss 4.3epss 0.00

    Due to the lack of randomness in assigning Object Identifiers in the SAP NetWeaver AS JAVA IIOP service, an authenticated attacker with low privileges could predict the identifiers by conducting a brute force search. By leveraging knowledge of several identifiers generated close…

  • CVE-2025-42923MedSep 9, 2025
    risk 0.28cvss 4.3epss 0.00

    Due to insufficient CSRF protection in SAP Fiori App Manage Work Center Groups, an authenticated user could be tricked by an attacker to send unintended request to the web server. This has low impact on integrity and no impact on confidentiality and availability of the…

  • CVE-2025-42934MedAug 12, 2025
    risk 0.28cvss 4.3epss 0.00

    SAP S/4HANA Supplier invoice is vulnerable to CRLF Injection. An attacker with user-level privileges can bypass the allowlist and insert untrusted sites into the 'Trusted Sites' configuration by injecting line feed (LF) characters into application inputs. This vulnerability has…

  • CVE-2025-42960MedJul 8, 2025
    risk 0.28cvss 4.3epss 0.00

    SAP Business Warehouse and SAP BW/4HANA BEx Tools allow an authenticated attacker to gain higher access levels than intended by exploiting improper authorization checks. This could potentially impact data integrity by allowing deletion of user table entries.�It has no impact…

  • CVE-2025-42991MedJun 10, 2025
    risk 0.28cvss 4.3epss 0.00

    SAP S/4HANA (Bank Account Application) does not perform necessary authorization checks. This allows an authenticated 'approver' user to delete attachment from bank account application of other user, leading to a low impact on integrity, with no impact on the confidentiality of…

  • CVE-2025-42987MedJun 10, 2025
    risk 0.28cvss 4.3epss 0.00

    SAP Manage Processing Rules (For Bank Statement) allows an attacker with basic privileges to edit shared rules of any user by tampering the request parameter. Due to missing authorization check, the attacker can edit rules that should be restricted, compromising the integrity of…

  • CVE-2025-43005MedMay 13, 2025
    risk 0.28cvss 4.3epss 0.00

    SAP GUI for Windows allows an unauthenticated attacker to exploit insecure obfuscation algorithms used by the GuiXT application to store user credentials. While this issue does not impact the Integrity or Availability of the application, it may have a Low impact on the…

  • CVE-2025-43002MedMay 13, 2025
    risk 0.28cvss 4.3epss 0.00

    SAP S4CORE OData meta-data property allows an authenticated attacker to access restricted information due to missing authorization check. This could cause a low impact on confidentiality but integrity and availability of the application are not impacted.

  • CVE-2025-31327MedApr 22, 2025
    risk 0.28cvss 4.3epss 0.00

    SAP Field Logistics Manage Logistics application OData meta-data property is vulnerable to data tampering, due to which certain fields could be externally modified by an attacker causing low impact on integrity of the application. Confidentiality and availability are not…

  • CVE-2025-31333MedApr 8, 2025
    risk 0.28cvss 4.3epss 0.00

    SAP S4CORE OData meta-data property is vulnerable to data tampering, due to which entity set could be externally modified by an attacker causing low impact on integrity of the application. Confidentiality and availability is not impacted.

  • CVE-2025-31331MedApr 8, 2025
    risk 0.28cvss 4.3epss 0.00

    SAP NetWeaver allows an attacker to bypass authorization checks, enabling them to view portions of ABAP code that would normally require additional validation. Once logged into the ABAP system, the attacker can run a specific transaction that exposes sensitive system code…

  • CVE-2025-27437MedApr 8, 2025
    risk 0.28cvss 4.3epss 0.00

    A Missing Authorization Check vulnerability exists in the Virus Scanner Interface of SAP NetWeaver Application Server ABAP. Because of this, an attacker authenticated as a non-administrative user can initiate a transaction, allowing them to access but not modify non-sensitive…

  • CVE-2025-27436MedMar 11, 2025
    risk 0.28cvss 4.3epss 0.00

    The Manage Bank Statements in SAP S/4HANA does not perform required access control checks for an authenticated user to confirm whether a request to interact with a resource is legitimate, allowing the attacker to delete the attachment of a posted bank statement. This leads to a…

  • CVE-2025-27433MedMar 11, 2025
    risk 0.28cvss 4.3epss 0.00

    The Manage Bank Statements in SAP S/4HANA allows authenticated attacker to bypass certain functionality restrictions of the application and upload files to a reversed bank statement. This vulnerability has a low impact on the application's integrity, with no effect on…

  • CVE-2025-26660MedMar 11, 2025
    risk 0.28cvss 4.3epss 0.00

    SAP Fiori applications using the posting library fail to properly configure security settings during the setup process, leaving them at default or inadequately defined. This vulnerability allows an attacker with low privileges to bypass access controls within the application,…

  • CVE-2025-26656MedMar 11, 2025
    risk 0.28cvss 4.3epss 0.00

    OData Service in Manage Purchasing Info Records does not perform necessary authorization checks for an authenticated user, allowing an attacker to escalate privileges. This has low impact on integrity of the application.

  • CVE-2025-23188MedMar 11, 2025
    risk 0.28cvss 4.3epss 0.00

    An authenticated user with low privileges can exploit a missing authorization check in an IBS module of FS-RBD, allowing unauthorized access to perform actions beyond their intended permissions. This causes a low impact on integrity with no impact on confidentiality and…

  • CVE-2025-24872MedFeb 11, 2025
    risk 0.28cvss 4.3epss 0.00

    The ABAP Build Framework in SAP ABAP Platform allows an authenticated attacker to gain unauthorized access to a specific transaction. By executing the add-on build functionality within the ABAP Build Framework, an attacker could call the transaction and view its details. This…

  • CVE-2025-24869MedFeb 11, 2025
    risk 0.28cvss 4.3epss 0.00

    SAP NetWeaver Application Server Java allows an attacker to access an endpoint that can disclose information about deployed server components, including their XML definitions. This information should ideally be restricted to customer administrators, even though they may not need…

  • CVE-2025-23189MedFeb 11, 2025
    risk 0.28cvss 4.3epss 0.00

    Due to missing authorization check in an RFC enabled function module in transaction SDCCN, an authenticated attacker could generate technical meta-data. This leads to a low impact on integrity. There is no impact on confidentiality or availability

  • CVE-2025-0068MedJan 14, 2025
    risk 0.28cvss 4.3epss 0.00

    An obsolete functionality in SAP NetWeaver Application Server ABAP did not perform necessary authorization checks. Because of this, an authenticated attacker could obtain information that would otherwise be restricted. It has no impact on integrity or availability on the…

  • CVE-2024-47585MedDec 10, 2024
    risk 0.28cvss 4.3epss 0.00

    SAP NetWeaver Application Server for ABAP and ABAP Platform allows an authenticated attacker to gain higher access levels than they should have by exploiting improper authorization checks, resulting in privilege escalation. While authorizations for import and export are…

  • CVE-2024-47581MedDec 10, 2024
    risk 0.28cvss 4.3epss 0.00

    SAP HCM Approve Timesheets Version 4 application does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.There is low impact on integrity of the application. Confidentiality and availibility are not impacted.

  • CVE-2024-47593MedNov 12, 2024
    risk 0.28cvss 4.3epss 0.00

    SAP NetWeaver Application Server ABAP allows an unauthenticated attacker with network access to read files from the server, which otherwise would be restricted.This attack is possible only if a Web Dispatcher or some sort of Proxy Server is in use and the file in question was…

  • CVE-2024-44121MedSep 10, 2024
    risk 0.28cvss 4.3epss 0.00

    Under certain conditions Statutory Reports in SAP S/4 HANA allows an attacker with basic privileges to access information which would otherwise be restricted. The vulnerability could expose internal user data that should remain confidential. It does not impact the integrity and…

  • CVE-2024-44113MedSep 10, 2024
    risk 0.28cvss 4.3epss 0.00

    Due to missing authorization checks, SAP Business Warehouse (BEx Analyzer) allows an authenticated attacker to access information over the network which is otherwise restricted. On successful exploitation the attacker can enumerate information causing a limited impact on…

  • CVE-2024-41729MedSep 10, 2024
    risk 0.28cvss 4.3epss 0.00

    Due to missing authorization checks, SAP BEx Analyzer allows an authenticated attacker to access information over the network which is otherwise restricted. On successful exploitation the attacker can enumerate information causing a limited impact on confidentiality of the…

  • CVE-2024-39596MedJul 9, 2024
    risk 0.28cvss 4.3epss 0.00

    Due to missing authorization checks, SAP Enable Now allows an author to escalate privileges to access information which should otherwise be restricted. On successful exploitation, the attacker can cause limited impact on confidentiality of the application.

  • CVE-2024-4139MedMay 14, 2024
    risk 0.28cvss 4.3epss 0.00

    Manage Bank Statement ReProcessing Rules does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. By exploiting this vulnerability, an attacker can delete rules of other users affecting the integrity of the application.…

  • CVE-2024-4138MedMay 14, 2024
    risk 0.28cvss 4.3epss 0.00

    Manage Bank Statement ReProcessing Rules does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. By exploiting this vulnerability, an attacker can enable/disable the sharing rule of other users affecting the integrity of…

  • CVE-2024-30217MedApr 9, 2024
    risk 0.28cvss 4.3epss 0.00

    Cash Management in SAP S/4 HANA does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. By exploiting this vulnerability, an attacker can approve or reject a bank account application affecting the integrity of the…

  • CVE-2024-30216MedApr 9, 2024
    risk 0.28cvss 4.3epss 0.00

    Cash Management in SAP S/4 HANA does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. By exploiting this vulnerability, attacker can add notes in the review request with 'completed' status affecting the integrity of…

  • CVE-2018-2434MedJul 10, 2018
    risk 0.28cvss 4.3epss 0.01

    A content spoofing vulnerability in the following components allows to render html pages containing arbitrary plain text content, which might fool an end user: UI add-on for SAP NetWeaver (UI_Infra, 1.0), SAP UI Implementation for Decoupled Innovations (UI_700, 2.0): SAP…

  • CVE-2018-2366MedMar 14, 2018
    risk 0.28cvss 4.3epss 0.02

    SAP Business Process Automation (BPA) By Redwood, 9.0, 9.1, allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing 'traverse to parent directory' are passed through to the file APIs.

  • CVE-2016-6859MedDec 31, 2016
    risk 0.28cvss 4.3epss 0.01

    Hybris Management Console (HMC) in SAP Hybris before 6.0 allows remote attackers to obtain sensitive information by triggering an error and then reading a Java stack trace.

  • CVE-2016-3639MedSep 26, 2016
    risk 0.28cvss 4.3epss 0.02

    SAP HANA DB 1.00.091.00.1418659308 allows remote attackers to obtain sensitive topology information via an unspecified HTTP request, aka SAP Security Note 2176128.

  • CVE-2026-24315MedJun 9, 2026
    risk 0.27cvss 4.2epss 0.00

    SAP Fiori Launchpad allows attackers to craft malicious URLs that triggers arbitrary service calls on the Fiori domain, this when opened by the user could compromise accounts by stealing user credentials. Successful exploitation requires adversaries to possess advanced knowledge…

  • CVE-2026-27683MedApr 14, 2026
    risk 0.27cvss 4.1epss 0.00

    SAP BusinessObjects Business Intelligence application allows an authenticated attacker to inject malicious JavaScript payloads through crafted URLs. When a victim accesses the URL, the script executes in the user�s browser, potentially exposing restricted information. This…

  • CVE-2026-24318MedApr 14, 2026
    risk 0.27cvss 4.2epss 0.00

    Due to an Insecure session management vulnerability in SAP Business Objects Business Intelligence Platform, an unauthenticated attacker could obtain valid session tokens and reuse them to gain unauthorized access to a victim�s session. If the application continues to accept…

  • CVE-2025-42935MedAug 12, 2025
    risk 0.27cvss 4.1epss 0.00

    The SAP NetWeaver Application Server ABAP and ABAP Platform Internet Communication Manager (ICM) permits authorized users with admin privileges and local access to log files to read sensitive information, resulting in information disclosure. This leads to high impact on the…

  • CVE-2025-42965MedJul 8, 2025
    risk 0.27cvss 4.1epss 0.00

    SAP CMC Promotion Management allows an authenticated attacker to enumerate internal network systems by submitting crafted requests during job source configuration. By analysing response times for various IP addresses and ports, the attacker can infer valid network endpoints.…

  • CVE-2025-31326MedJul 8, 2025
    risk 0.27cvss 4.1epss 0.00

    SAP�BusinessObjects Business�Intelligence Platform (Web Intelligence) is vulnerable to HTML Injection, allowing an attacker with basic user privileges to inject malicious code into specific input fields. This could lead to unintended redirects or manipulation of application…

Page 9 of 37