Vulnerabilities (CVE)

Filtered by vendor Sap Subscribe
Total 1426 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2018-17865 1 Sap 1 J2ee Engine 2024-04-11 4.3 MEDIUM 6.1 MEDIUM
A cross-site scripting (XSS) vulnerability in SAP J2EE Engine 7.01 allows remote attackers to inject arbitrary web script via the wsdlPath parameter to /ctcprotocol/Protocol. NOTE: This vulnerability only affects products that are no longer supported by the maintainer
CVE-2018-17862 1 Sap 1 J2ee Engine 2024-04-11 4.3 MEDIUM 6.1 MEDIUM
A cross-site scripting (XSS) vulnerability in SAP J2EE Engine/7.01/Fiori allows remote attackers to inject arbitrary web script via the sys_jdbc parameter to /TestJDBC_Web/test2. NOTE: This vulnerability only affects products that are no longer supported by the maintainer
CVE-2018-17861 1 Sap 1 J2ee Engine 2024-04-11 4.3 MEDIUM 6.1 MEDIUM
A cross-site scripting (XSS) vulnerability in SAP J2EE Engine/7.01/Portal/EPP allows remote attackers to inject arbitrary web script via the wsdlLib parameter to /ctcprotocol/Protocol. NOTE: This vulnerability only affects products that are no longer supported by the maintainer
CVE-2023-32113 1 Sap 1 Gui For Windows 2024-03-19 N/A 9.3 CRITICAL
SAP GUI for Windows - version 7.70, 8.0, allows an unauthorized attacker to gain NTLM authentication information of a victim by tricking it into clicking a prepared shortcut file. Depending on the authorizations of the victim, the attacker can read and modify potentially sensitive information after successful exploitation.
CVE-2017-12637 1 Sap 1 Netweaver Application Server Java 2024-02-14 5.0 MEDIUM 7.5 HIGH
Directory traversal vulnerability in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS in SAP NetWeaver Application Server Java 7.5 allows remote attackers to read arbitrary files via a .. (dot dot) in the query string, as exploited in the wild in August 2017, aka SAP Security Note 2486657.
CVE-2014-9569 1 Sap 1 Netweaver Business Client For Html 2024-02-14 4.3 MEDIUM N/A
Multiple cross-site scripting (XSS) vulnerabilities in SAP NetWeaver Business Client (NWBC) for HTML 3.0 allow remote attackers to inject arbitrary web script or HTML via the (1) title or (2) roundtrips parameter, aka SAP Security Note 2051285.
CVE-2023-24523 1 Sap 1 Host Agent 2024-02-01 N/A 8.8 HIGH
An attacker authenticated as a non-admin user with local access to a server port assigned to the SAP Host Agent (Start Service) - versions 7.21, 7.22, can submit a crafted ConfigureOutsideDiscovery request with an operating system command which will be executed with administrator privileges.  The OS command can read or modify any user or system data and can make the system unavailable.
CVE-2023-27500 1 Sap 1 Netweaver Application Server Abap 2024-02-01 N/A 8.1 HIGH
An attacker with non-administrative authorizations can exploit a directory traversal flaw in program SAPRSBRO to over-write system files. In this attack, no data can be read but potentially critical OS files can be over-written making the system unavailable.
CVE-2024-21735 1 Sap 1 Lt Replication Server 2024-01-30 N/A 7.2 HIGH
SAP LT Replication Server - version S4CORE 103, S4CORE 104, S4CORE 105, S4CORE 106, S4CORE 107, S4CORE 108, does not perform necessary authorization checks. This could allow an attacker with high privileges to perform unintended actions, resulting in escalation of privileges, which has High impact on confidentiality, integrity and availability of the system.
CVE-2022-41196 1 Sap 1 3d Visual Enterprise Viewer 2024-01-25 N/A 7.8 HIGH
Due to lack of proper memory management, when a victim opens a manipulated VRML Worlds (.wrl, vrml.x3d) file received from untrusted sources in SAP 3D Visual Enterprise Viewer - version 9, it is possible that a Remote Code Execution can be triggered when payload forces a stack-based overflow or a re-use of dangling pointer which refers to overwritten space in memory.
CVE-2022-39805 1 Sap 1 3d Visual Enterprise Author 2024-01-25 N/A 7.8 HIGH
Due to lack of proper memory management, when a victim opens a manipulated Computer Graphics Metafile (.cgm, CgmTranslator.exe) file received from untrusted sources in SAP 3D Visual Enterprise Author - version 9, it is possible that a Remote Code Execution can be triggered when payload forces a stack-based overflow or a re-use of dangling pointer which refers to overwritten space in memory.
CVE-2022-41186 1 Sap 1 3d Visual Enterprise Viewer 2024-01-25 N/A 7.8 HIGH
Due to lack of proper memory management, when a victim opens manipulated Computer Graphics Metafile (.cgm, CgmCore.dll) file received from untrusted sources in SAP 3D Visual Enterprise Viewer - version 9, a Remote Code Execution can be triggered when payload forces a stack-based overflow and or a re-use of dangling pointer which refers to overwritten space in memory.
CVE-2024-22124 1 Sap 1 Netweaver 2024-01-22 N/A 7.5 HIGH
Under certain conditions, Internet Communication Manager (ICM) or SAP Web Dispatcher - versions KERNEL 7.22, KERNEL 7.53, KERNEL 7.54, KRNL64UC 7.22, KRNL64UC 7.22EXT, KRNL64UC 7.53, KRNL64NUC 7.22, KRNL64NUC 7.22_EXT, WEBDISP 7.22_EXT, WEBDISP 7.53, WEBDISP 7.54, could allow an attacker to access information which would otherwise be restricted causing high impact on confidentiality.
CVE-2024-21736 1 Sap 1 S\/4hana Finance 2024-01-19 N/A 6.5 MEDIUM
SAP S/4HANA Finance for (Advanced Payment Management) - versions SAPSCORE 128, S4CORE 107, does not perform necessary authorization checks. A function import could be triggered allowing the attacker to create in-house bank accounts leading to low impact on the confidentiality of the application.
CVE-2024-21737 1 Sap 1 Application Interface Framework 2024-01-16 N/A 9.1 CRITICAL
In SAP Application Interface Framework File Adapter - version 702, a high privilege user can use a function module to traverse through various layers and execute OS commands directly. By this, such user can control the behaviour of the application. This leads to considerable impact on confidentiality, integrity and availability.
CVE-2023-49581 1 Sap 1 Netweaver Application Server Abap 2024-01-16 N/A 9.4 CRITICAL
SAP GUI for Windows and SAP GUI for Java allow an unauthenticated attacker to access information which would otherwise be restricted and confidential. In addition, this vulnerability allows the unauthenticated attacker to write data to a database table. By doing so the attacker could increase response times of the AS ABAP, leading to mild impact on availability.
CVE-2024-22125 1 Sap 1 Gui Connector 2024-01-12 N/A 7.5 HIGH
Under certain conditions the Microsoft Edge browser extension (SAP GUI connector for Microsoft Edge) - version 1.0, allows an attacker to access highly sensitive information which would otherwise be restricted causing high impact on confidentiality.
CVE-2024-21734 1 Sap 1 Marketing 2024-01-12 N/A 5.4 MEDIUM
SAP Marketing (Contacts App) - version 160, allows an attacker with low privileges to trick a user to open malicious page which could lead to a very convincing phishing attack with low impact on confidentiality and integrity of the application.
CVE-2024-21738 1 Sap 1 Netweaver Application Server Abap 2024-01-11 N/A 5.4 MEDIUM
SAP NetWeaver ABAP Application Server and ABAP Platform do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. An attacker with low privileges can cause limited impact to confidentiality of the application data after successful exploitation.
CVE-2023-50422 1 Sap 1 Cloud-security-services-integration-library 2024-01-09 N/A 9.8 CRITICAL
SAP BTP Security Services Integration Library ([Java] cloud-security-services-integration-library) - versions below 2.17.0 and versions from 3.0.0 to before 3.3.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.