Vendor CVEs
SAP
All CVEs
1,818 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-23683 | Med | 0.28 | 4.3 | 0.00 | Jan 27, 2026 | SAP Fiori App Intercompany Balance Reconciliation does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This has low impact on confidentiality, integrity and availability are not impacted. | ||
| CVE-2026-0497 | Med | 0.28 | 4.3 | 0.00 | Jan 13, 2026 | SAP Product Designer Web UI of Business Server Pages allows authenticated non-administrative users to access non-sensitive information. This results in a low impact on confidentiality, with no impact on integrity or availability of the application. | ||
| CVE-2026-0494 | Med | 0.28 | 4.3 | 0.00 | Jan 13, 2026 | Under certain conditions SAP Fiori App Intercompany Balance Reconciliation application allows an attacker to access information which would otherwise be restricted. This has low impact on confidentiality of the application, integrity and availability are not impacted. | ||
| CVE-2026-0493 | Med | 0.28 | 4.3 | 0.00 | Jan 13, 2026 | Due to a Cross-Site Request Forgery (CSRF) vulnerability in SAP Fiori App Intercompany Balance Reconciliation an attacker could execute state?changing actions using an inappropriate request type, this deviation from expected request semantics may allow an attacker to trigger… | ||
| CVE-2025-42899 | Med | 0.28 | 4.3 | 0.00 | Nov 11, 2025 | SAP S4CORE (Manage journal entries) does not perform necessary authorization checks for an authenticated user resulting in escalation of privileges. This has low impact on confidentiality of the application with no impact on integrity and availability of the application. | ||
| CVE-2025-42882 | Med | 0.28 | 4.3 | 0.00 | Nov 11, 2025 | Due to a missing authorization check in SAP NetWeaver Application Server for ABAP, an authenticated attacker with basic privileges could execute a specific function module in ABAP to retrieve restricted technical information from the system. This disclosure of environment… | ||
| CVE-2025-42939 | Med | 0.28 | 4.3 | 0.00 | Oct 14, 2025 | SAP S/4HANA (Manage Processing Rules - For Bank Statements) allows an authenticated attacker with basic privileges to delete conditions from any shared rule of any user by tampering the request parameter. Due to missing authorization check, the attacker can delete shared rule… | ||
| CVE-2025-42903 | Med | 0.28 | 4.3 | 0.00 | Oct 14, 2025 | A vulnerability in SAP Financial Service Claims Management RFC function ICL_USER_GET_NAME_AND_ADDRESS allows user enumeration and potential disclosure of personal data through response discrepancies, causing low impact on confidentiality with no impact on integrity or… | ||
| CVE-2025-42925 | Med | 0.28 | 4.3 | 0.00 | Sep 9, 2025 | Due to the lack of randomness in assigning Object Identifiers in the SAP NetWeaver AS JAVA IIOP service, an authenticated attacker with low privileges could predict the identifiers by conducting a brute force search. By leveraging knowledge of several identifiers generated close… | ||
| CVE-2025-42923 | Med | 0.28 | 4.3 | 0.00 | Sep 9, 2025 | Due to insufficient CSRF protection in SAP Fiori App Manage Work Center Groups, an authenticated user could be tricked by an attacker to send unintended request to the web server. This has low impact on integrity and no impact on confidentiality and availability of the… | ||
| CVE-2025-42934 | Med | 0.28 | 4.3 | 0.00 | Aug 12, 2025 | SAP S/4HANA Supplier invoice is vulnerable to CRLF Injection. An attacker with user-level privileges can bypass the allowlist and insert untrusted sites into the 'Trusted Sites' configuration by injecting line feed (LF) characters into application inputs. This vulnerability has… | ||
| CVE-2025-42960 | Med | 0.28 | 4.3 | 0.00 | Jul 8, 2025 | SAP Business Warehouse and SAP BW/4HANA BEx Tools allow an authenticated attacker to gain higher access levels than intended by exploiting improper authorization checks. This could potentially impact data integrity by allowing deletion of user table entries.�It has no impact… | ||
| CVE-2025-42991 | Med | 0.28 | 4.3 | 0.00 | Jun 10, 2025 | SAP S/4HANA (Bank Account Application) does not perform necessary authorization checks. This allows an authenticated 'approver' user to delete attachment from bank account application of other user, leading to a low impact on integrity, with no impact on the confidentiality of… | ||
| CVE-2025-42987 | Med | 0.28 | 4.3 | 0.00 | Jun 10, 2025 | SAP Manage Processing Rules (For Bank Statement) allows an attacker with basic privileges to edit shared rules of any user by tampering the request parameter. Due to missing authorization check, the attacker can edit rules that should be restricted, compromising the integrity of… | ||
| CVE-2025-43005 | Med | 0.28 | 4.3 | 0.00 | May 13, 2025 | SAP GUI for Windows allows an unauthenticated attacker to exploit insecure obfuscation algorithms used by the GuiXT application to store user credentials. While this issue does not impact the Integrity or Availability of the application, it may have a Low impact on the… | ||
| CVE-2025-43002 | Med | 0.28 | 4.3 | 0.00 | May 13, 2025 | SAP S4CORE OData meta-data property allows an authenticated attacker to access restricted information due to missing authorization check. This could cause a low impact on confidentiality but integrity and availability of the application are not impacted. | ||
| CVE-2025-31327 | Med | 0.28 | 4.3 | 0.00 | Apr 22, 2025 | SAP Field Logistics Manage Logistics application OData meta-data property is vulnerable to data tampering, due to which certain fields could be externally modified by an attacker causing low impact on integrity of the application. Confidentiality and availability are not… | ||
| CVE-2025-31333 | Med | 0.28 | 4.3 | 0.00 | Apr 8, 2025 | SAP S4CORE OData meta-data property is vulnerable to data tampering, due to which entity set could be externally modified by an attacker causing low impact on integrity of the application. Confidentiality and availability is not impacted. | ||
| CVE-2025-31331 | Med | 0.28 | 4.3 | 0.00 | Apr 8, 2025 | SAP NetWeaver allows an attacker to bypass authorization checks, enabling them to view portions of ABAP code that would normally require additional validation. Once logged into the ABAP system, the attacker can run a specific transaction that exposes sensitive system code… | ||
| CVE-2025-27437 | Med | 0.28 | 4.3 | 0.00 | Apr 8, 2025 | A Missing Authorization Check vulnerability exists in the Virus Scanner Interface of SAP NetWeaver Application Server ABAP. Because of this, an attacker authenticated as a non-administrative user can initiate a transaction, allowing them to access but not modify non-sensitive… | ||
| CVE-2025-27436 | Med | 0.28 | 4.3 | 0.00 | Mar 11, 2025 | The Manage Bank Statements in SAP S/4HANA does not perform required access control checks for an authenticated user to confirm whether a request to interact with a resource is legitimate, allowing the attacker to delete the attachment of a posted bank statement. This leads to a… | ||
| CVE-2025-27433 | Med | 0.28 | 4.3 | 0.00 | Mar 11, 2025 | The Manage Bank Statements in SAP S/4HANA allows authenticated attacker to bypass certain functionality restrictions of the application and upload files to a reversed bank statement. This vulnerability has a low impact on the application's integrity, with no effect on… | ||
| CVE-2025-26660 | Med | 0.28 | 4.3 | 0.00 | Mar 11, 2025 | SAP Fiori applications using the posting library fail to properly configure security settings during the setup process, leaving them at default or inadequately defined. This vulnerability allows an attacker with low privileges to bypass access controls within the application,… | ||
| CVE-2025-26656 | Med | 0.28 | 4.3 | 0.00 | Mar 11, 2025 | OData Service in Manage Purchasing Info Records does not perform necessary authorization checks for an authenticated user, allowing an attacker to escalate privileges. This has low impact on integrity of the application. | ||
| CVE-2025-23188 | Med | 0.28 | 4.3 | 0.00 | Mar 11, 2025 | An authenticated user with low privileges can exploit a missing authorization check in an IBS module of FS-RBD, allowing unauthorized access to perform actions beyond their intended permissions. This causes a low impact on integrity with no impact on confidentiality and… | ||
| CVE-2025-24872 | Med | 0.28 | 4.3 | 0.00 | Feb 11, 2025 | The ABAP Build Framework in SAP ABAP Platform allows an authenticated attacker to gain unauthorized access to a specific transaction. By executing the add-on build functionality within the ABAP Build Framework, an attacker could call the transaction and view its details. This… | ||
| CVE-2025-24869 | Med | 0.28 | 4.3 | 0.00 | Feb 11, 2025 | SAP NetWeaver Application Server Java allows an attacker to access an endpoint that can disclose information about deployed server components, including their XML definitions. This information should ideally be restricted to customer administrators, even though they may not need… | ||
| CVE-2025-23189 | Med | 0.28 | 4.3 | 0.00 | Feb 11, 2025 | Due to missing authorization check in an RFC enabled function module in transaction SDCCN, an authenticated attacker could generate technical meta-data. This leads to a low impact on integrity. There is no impact on confidentiality or availability | ||
| CVE-2025-0068 | Med | 0.28 | 4.3 | 0.00 | Jan 14, 2025 | An obsolete functionality in SAP NetWeaver Application Server ABAP did not perform necessary authorization checks. Because of this, an authenticated attacker could obtain information that would otherwise be restricted. It has no impact on integrity or availability on the… | ||
| CVE-2024-47585 | Med | 0.28 | 4.3 | 0.00 | Dec 10, 2024 | SAP NetWeaver Application Server for ABAP and ABAP Platform allows an authenticated attacker to gain higher access levels than they should have by exploiting improper authorization checks, resulting in privilege escalation. While authorizations for import and export are… | ||
| CVE-2024-47581 | Med | 0.28 | 4.3 | 0.00 | Dec 10, 2024 | SAP HCM Approve Timesheets Version 4 application does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.There is low impact on integrity of the application. Confidentiality and availibility are not impacted. | ||
| CVE-2024-47593 | Med | 0.28 | 4.3 | 0.00 | Nov 12, 2024 | SAP NetWeaver Application Server ABAP allows an unauthenticated attacker with network access to read files from the server, which otherwise would be restricted.This attack is possible only if a Web Dispatcher or some sort of Proxy Server is in use and the file in question was… | ||
| CVE-2024-44121 | Med | 0.28 | 4.3 | 0.00 | Sep 10, 2024 | Under certain conditions Statutory Reports in SAP S/4 HANA allows an attacker with basic privileges to access information which would otherwise be restricted. The vulnerability could expose internal user data that should remain confidential. It does not impact the integrity and… | ||
| CVE-2024-44113 | Med | 0.28 | 4.3 | 0.00 | Sep 10, 2024 | Due to missing authorization checks, SAP Business Warehouse (BEx Analyzer) allows an authenticated attacker to access information over the network which is otherwise restricted. On successful exploitation the attacker can enumerate information causing a limited impact on… | ||
| CVE-2024-41729 | Med | 0.28 | 4.3 | 0.00 | Sep 10, 2024 | Due to missing authorization checks, SAP BEx Analyzer allows an authenticated attacker to access information over the network which is otherwise restricted. On successful exploitation the attacker can enumerate information causing a limited impact on confidentiality of the… | ||
| CVE-2024-39596 | Med | 0.28 | 4.3 | 0.00 | Jul 9, 2024 | Due to missing authorization checks, SAP Enable Now allows an author to escalate privileges to access information which should otherwise be restricted. On successful exploitation, the attacker can cause limited impact on confidentiality of the application. | ||
| CVE-2024-4139 | Med | 0.28 | 4.3 | 0.00 | May 14, 2024 | Manage Bank Statement ReProcessing Rules does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. By exploiting this vulnerability, an attacker can delete rules of other users affecting the integrity of the application.… | ||
| CVE-2024-4138 | Med | 0.28 | 4.3 | 0.00 | May 14, 2024 | Manage Bank Statement ReProcessing Rules does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. By exploiting this vulnerability, an attacker can enable/disable the sharing rule of other users affecting the integrity of… | ||
| CVE-2024-30217 | Med | 0.28 | 4.3 | 0.00 | Apr 9, 2024 | Cash Management in SAP S/4 HANA does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. By exploiting this vulnerability, an attacker can approve or reject a bank account application affecting the integrity of the… | ||
| CVE-2024-30216 | Med | 0.28 | 4.3 | 0.00 | Apr 9, 2024 | Cash Management in SAP S/4 HANA does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. By exploiting this vulnerability, attacker can add notes in the review request with 'completed' status affecting the integrity of… | ||
| CVE-2018-2434 | Med | 0.28 | 4.3 | 0.01 | Jul 10, 2018 | A content spoofing vulnerability in the following components allows to render html pages containing arbitrary plain text content, which might fool an end user: UI add-on for SAP NetWeaver (UI_Infra, 1.0), SAP UI Implementation for Decoupled Innovations (UI_700, 2.0): SAP… | ||
| CVE-2018-2366 | Med | 0.28 | 4.3 | 0.02 | Mar 14, 2018 | SAP Business Process Automation (BPA) By Redwood, 9.0, 9.1, allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing 'traverse to parent directory' are passed through to the file APIs. | ||
| CVE-2016-6859 | Med | 0.28 | 4.3 | 0.01 | Dec 31, 2016 | Hybris Management Console (HMC) in SAP Hybris before 6.0 allows remote attackers to obtain sensitive information by triggering an error and then reading a Java stack trace. | ||
| CVE-2016-3639 | Med | 0.28 | 4.3 | 0.02 | Sep 26, 2016 | SAP HANA DB 1.00.091.00.1418659308 allows remote attackers to obtain sensitive topology information via an unspecified HTTP request, aka SAP Security Note 2176128. | ||
| CVE-2026-24315 | Med | 0.27 | 4.2 | 0.00 | Jun 9, 2026 | SAP Fiori Launchpad allows attackers to craft malicious URLs that triggers arbitrary service calls on the Fiori domain, this when opened by the user could compromise accounts by stealing user credentials. Successful exploitation requires adversaries to possess advanced knowledge… | ||
| CVE-2026-27683 | Med | 0.27 | 4.1 | 0.00 | Apr 14, 2026 | SAP BusinessObjects Business Intelligence application allows an authenticated attacker to inject malicious JavaScript payloads through crafted URLs. When a victim accesses the URL, the script executes in the user�s browser, potentially exposing restricted information. This… | ||
| CVE-2026-24318 | Med | 0.27 | 4.2 | 0.00 | Apr 14, 2026 | Due to an Insecure session management vulnerability in SAP Business Objects Business Intelligence Platform, an unauthenticated attacker could obtain valid session tokens and reuse them to gain unauthorized access to a victim�s session. If the application continues to accept… | ||
| CVE-2025-42935 | Med | 0.27 | 4.1 | 0.00 | Aug 12, 2025 | The SAP NetWeaver Application Server ABAP and ABAP Platform Internet Communication Manager (ICM) permits authorized users with admin privileges and local access to log files to read sensitive information, resulting in information disclosure. This leads to high impact on the… | ||
| CVE-2025-42965 | Med | 0.27 | 4.1 | 0.00 | Jul 8, 2025 | SAP CMC Promotion Management allows an authenticated attacker to enumerate internal network systems by submitting crafted requests during job source configuration. By analysing response times for various IP addresses and ports, the attacker can infer valid network endpoints.… | ||
| CVE-2025-31326 | Med | 0.27 | 4.1 | 0.00 | Jul 8, 2025 | SAP�BusinessObjects Business�Intelligence Platform (Web Intelligence) is vulnerable to HTML Injection, allowing an attacker with basic user privileges to inject malicious code into specific input fields. This could lead to unintended redirects or manipulation of application… |
- risk 0.28cvss 4.3epss 0.00
SAP Fiori App Intercompany Balance Reconciliation does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This has low impact on confidentiality, integrity and availability are not impacted.
- risk 0.28cvss 4.3epss 0.00
SAP Product Designer Web UI of Business Server Pages allows authenticated non-administrative users to access non-sensitive information. This results in a low impact on confidentiality, with no impact on integrity or availability of the application.
- risk 0.28cvss 4.3epss 0.00
Under certain conditions SAP Fiori App Intercompany Balance Reconciliation application allows an attacker to access information which would otherwise be restricted. This has low impact on confidentiality of the application, integrity and availability are not impacted.
- risk 0.28cvss 4.3epss 0.00
Due to a Cross-Site Request Forgery (CSRF) vulnerability in SAP Fiori App Intercompany Balance Reconciliation an attacker could execute state?changing actions using an inappropriate request type, this deviation from expected request semantics may allow an attacker to trigger…
- risk 0.28cvss 4.3epss 0.00
SAP S4CORE (Manage journal entries) does not perform necessary authorization checks for an authenticated user resulting in escalation of privileges. This has low impact on confidentiality of the application with no impact on integrity and availability of the application.
- risk 0.28cvss 4.3epss 0.00
Due to a missing authorization check in SAP NetWeaver Application Server for ABAP, an authenticated attacker with basic privileges could execute a specific function module in ABAP to retrieve restricted technical information from the system. This disclosure of environment…
- risk 0.28cvss 4.3epss 0.00
SAP S/4HANA (Manage Processing Rules - For Bank Statements) allows an authenticated attacker with basic privileges to delete conditions from any shared rule of any user by tampering the request parameter. Due to missing authorization check, the attacker can delete shared rule…
- risk 0.28cvss 4.3epss 0.00
A vulnerability in SAP Financial Service Claims Management RFC function ICL_USER_GET_NAME_AND_ADDRESS allows user enumeration and potential disclosure of personal data through response discrepancies, causing low impact on confidentiality with no impact on integrity or…
- risk 0.28cvss 4.3epss 0.00
Due to the lack of randomness in assigning Object Identifiers in the SAP NetWeaver AS JAVA IIOP service, an authenticated attacker with low privileges could predict the identifiers by conducting a brute force search. By leveraging knowledge of several identifiers generated close…
- risk 0.28cvss 4.3epss 0.00
Due to insufficient CSRF protection in SAP Fiori App Manage Work Center Groups, an authenticated user could be tricked by an attacker to send unintended request to the web server. This has low impact on integrity and no impact on confidentiality and availability of the…
- risk 0.28cvss 4.3epss 0.00
SAP S/4HANA Supplier invoice is vulnerable to CRLF Injection. An attacker with user-level privileges can bypass the allowlist and insert untrusted sites into the 'Trusted Sites' configuration by injecting line feed (LF) characters into application inputs. This vulnerability has…
- risk 0.28cvss 4.3epss 0.00
SAP Business Warehouse and SAP BW/4HANA BEx Tools allow an authenticated attacker to gain higher access levels than intended by exploiting improper authorization checks. This could potentially impact data integrity by allowing deletion of user table entries.�It has no impact…
- risk 0.28cvss 4.3epss 0.00
SAP S/4HANA (Bank Account Application) does not perform necessary authorization checks. This allows an authenticated 'approver' user to delete attachment from bank account application of other user, leading to a low impact on integrity, with no impact on the confidentiality of…
- risk 0.28cvss 4.3epss 0.00
SAP Manage Processing Rules (For Bank Statement) allows an attacker with basic privileges to edit shared rules of any user by tampering the request parameter. Due to missing authorization check, the attacker can edit rules that should be restricted, compromising the integrity of…
- risk 0.28cvss 4.3epss 0.00
SAP GUI for Windows allows an unauthenticated attacker to exploit insecure obfuscation algorithms used by the GuiXT application to store user credentials. While this issue does not impact the Integrity or Availability of the application, it may have a Low impact on the…
- risk 0.28cvss 4.3epss 0.00
SAP S4CORE OData meta-data property allows an authenticated attacker to access restricted information due to missing authorization check. This could cause a low impact on confidentiality but integrity and availability of the application are not impacted.
- risk 0.28cvss 4.3epss 0.00
SAP Field Logistics Manage Logistics application OData meta-data property is vulnerable to data tampering, due to which certain fields could be externally modified by an attacker causing low impact on integrity of the application. Confidentiality and availability are not…
- risk 0.28cvss 4.3epss 0.00
SAP S4CORE OData meta-data property is vulnerable to data tampering, due to which entity set could be externally modified by an attacker causing low impact on integrity of the application. Confidentiality and availability is not impacted.
- risk 0.28cvss 4.3epss 0.00
SAP NetWeaver allows an attacker to bypass authorization checks, enabling them to view portions of ABAP code that would normally require additional validation. Once logged into the ABAP system, the attacker can run a specific transaction that exposes sensitive system code…
- risk 0.28cvss 4.3epss 0.00
A Missing Authorization Check vulnerability exists in the Virus Scanner Interface of SAP NetWeaver Application Server ABAP. Because of this, an attacker authenticated as a non-administrative user can initiate a transaction, allowing them to access but not modify non-sensitive…
- risk 0.28cvss 4.3epss 0.00
The Manage Bank Statements in SAP S/4HANA does not perform required access control checks for an authenticated user to confirm whether a request to interact with a resource is legitimate, allowing the attacker to delete the attachment of a posted bank statement. This leads to a…
- risk 0.28cvss 4.3epss 0.00
The Manage Bank Statements in SAP S/4HANA allows authenticated attacker to bypass certain functionality restrictions of the application and upload files to a reversed bank statement. This vulnerability has a low impact on the application's integrity, with no effect on…
- risk 0.28cvss 4.3epss 0.00
SAP Fiori applications using the posting library fail to properly configure security settings during the setup process, leaving them at default or inadequately defined. This vulnerability allows an attacker with low privileges to bypass access controls within the application,…
- risk 0.28cvss 4.3epss 0.00
OData Service in Manage Purchasing Info Records does not perform necessary authorization checks for an authenticated user, allowing an attacker to escalate privileges. This has low impact on integrity of the application.
- risk 0.28cvss 4.3epss 0.00
An authenticated user with low privileges can exploit a missing authorization check in an IBS module of FS-RBD, allowing unauthorized access to perform actions beyond their intended permissions. This causes a low impact on integrity with no impact on confidentiality and…
- risk 0.28cvss 4.3epss 0.00
The ABAP Build Framework in SAP ABAP Platform allows an authenticated attacker to gain unauthorized access to a specific transaction. By executing the add-on build functionality within the ABAP Build Framework, an attacker could call the transaction and view its details. This…
- risk 0.28cvss 4.3epss 0.00
SAP NetWeaver Application Server Java allows an attacker to access an endpoint that can disclose information about deployed server components, including their XML definitions. This information should ideally be restricted to customer administrators, even though they may not need…
- risk 0.28cvss 4.3epss 0.00
Due to missing authorization check in an RFC enabled function module in transaction SDCCN, an authenticated attacker could generate technical meta-data. This leads to a low impact on integrity. There is no impact on confidentiality or availability
- risk 0.28cvss 4.3epss 0.00
An obsolete functionality in SAP NetWeaver Application Server ABAP did not perform necessary authorization checks. Because of this, an authenticated attacker could obtain information that would otherwise be restricted. It has no impact on integrity or availability on the…
- risk 0.28cvss 4.3epss 0.00
SAP NetWeaver Application Server for ABAP and ABAP Platform allows an authenticated attacker to gain higher access levels than they should have by exploiting improper authorization checks, resulting in privilege escalation. While authorizations for import and export are…
- risk 0.28cvss 4.3epss 0.00
SAP HCM Approve Timesheets Version 4 application does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.There is low impact on integrity of the application. Confidentiality and availibility are not impacted.
- risk 0.28cvss 4.3epss 0.00
SAP NetWeaver Application Server ABAP allows an unauthenticated attacker with network access to read files from the server, which otherwise would be restricted.This attack is possible only if a Web Dispatcher or some sort of Proxy Server is in use and the file in question was…
- risk 0.28cvss 4.3epss 0.00
Under certain conditions Statutory Reports in SAP S/4 HANA allows an attacker with basic privileges to access information which would otherwise be restricted. The vulnerability could expose internal user data that should remain confidential. It does not impact the integrity and…
- risk 0.28cvss 4.3epss 0.00
Due to missing authorization checks, SAP Business Warehouse (BEx Analyzer) allows an authenticated attacker to access information over the network which is otherwise restricted. On successful exploitation the attacker can enumerate information causing a limited impact on…
- risk 0.28cvss 4.3epss 0.00
Due to missing authorization checks, SAP BEx Analyzer allows an authenticated attacker to access information over the network which is otherwise restricted. On successful exploitation the attacker can enumerate information causing a limited impact on confidentiality of the…
- risk 0.28cvss 4.3epss 0.00
Due to missing authorization checks, SAP Enable Now allows an author to escalate privileges to access information which should otherwise be restricted. On successful exploitation, the attacker can cause limited impact on confidentiality of the application.
- risk 0.28cvss 4.3epss 0.00
Manage Bank Statement ReProcessing Rules does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. By exploiting this vulnerability, an attacker can delete rules of other users affecting the integrity of the application.…
- risk 0.28cvss 4.3epss 0.00
Manage Bank Statement ReProcessing Rules does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. By exploiting this vulnerability, an attacker can enable/disable the sharing rule of other users affecting the integrity of…
- risk 0.28cvss 4.3epss 0.00
Cash Management in SAP S/4 HANA does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. By exploiting this vulnerability, an attacker can approve or reject a bank account application affecting the integrity of the…
- risk 0.28cvss 4.3epss 0.00
Cash Management in SAP S/4 HANA does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. By exploiting this vulnerability, attacker can add notes in the review request with 'completed' status affecting the integrity of…
- risk 0.28cvss 4.3epss 0.01
A content spoofing vulnerability in the following components allows to render html pages containing arbitrary plain text content, which might fool an end user: UI add-on for SAP NetWeaver (UI_Infra, 1.0), SAP UI Implementation for Decoupled Innovations (UI_700, 2.0): SAP…
- risk 0.28cvss 4.3epss 0.02
SAP Business Process Automation (BPA) By Redwood, 9.0, 9.1, allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing 'traverse to parent directory' are passed through to the file APIs.
- risk 0.28cvss 4.3epss 0.01
Hybris Management Console (HMC) in SAP Hybris before 6.0 allows remote attackers to obtain sensitive information by triggering an error and then reading a Java stack trace.
- risk 0.28cvss 4.3epss 0.02
SAP HANA DB 1.00.091.00.1418659308 allows remote attackers to obtain sensitive topology information via an unspecified HTTP request, aka SAP Security Note 2176128.
- risk 0.27cvss 4.2epss 0.00
SAP Fiori Launchpad allows attackers to craft malicious URLs that triggers arbitrary service calls on the Fiori domain, this when opened by the user could compromise accounts by stealing user credentials. Successful exploitation requires adversaries to possess advanced knowledge…
- risk 0.27cvss 4.1epss 0.00
SAP BusinessObjects Business Intelligence application allows an authenticated attacker to inject malicious JavaScript payloads through crafted URLs. When a victim accesses the URL, the script executes in the user�s browser, potentially exposing restricted information. This…
- risk 0.27cvss 4.2epss 0.00
Due to an Insecure session management vulnerability in SAP Business Objects Business Intelligence Platform, an unauthenticated attacker could obtain valid session tokens and reuse them to gain unauthorized access to a victim�s session. If the application continues to accept…
- risk 0.27cvss 4.1epss 0.00
The SAP NetWeaver Application Server ABAP and ABAP Platform Internet Communication Manager (ICM) permits authorized users with admin privileges and local access to log files to read sensitive information, resulting in information disclosure. This leads to high impact on the…
- risk 0.27cvss 4.1epss 0.00
SAP CMC Promotion Management allows an authenticated attacker to enumerate internal network systems by submitting crafted requests during job source configuration. By analysing response times for various IP addresses and ports, the attacker can infer valid network endpoints.…
- risk 0.27cvss 4.1epss 0.00
SAP�BusinessObjects Business�Intelligence Platform (Web Intelligence) is vulnerable to HTML Injection, allowing an attacker with basic user privileges to inject malicious code into specific input fields. This could lead to unintended redirects or manipulation of application…
Page 9 of 37