Filtered by vendor Sap
Subscribe
Total
1426 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-29188 | 1 Sap | 3 Customer Relationship Management Webclient Ui, S4fnd, Sapscore | 2023-12-10 | N/A | 5.4 MEDIUM |
| SAP CRM WebClient UI - versions SAPSCORE 129, S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, S4FND 107, WEBCUIF 701, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800, WEBCUIF 801, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. After successful exploitation, an attacker with user level access can read and modify some sensitive information but cannot delete the data. | |||||
| CVE-2023-27267 | 1 Sap | 1 Diagnostics Agent | 2023-12-10 | N/A | 8.1 HIGH |
| Due to missing authentication and insufficient input validation, the OSCommand Bridge of SAP Diagnostics Agent - version 720, allows an attacker with deep knowledge of the system to execute scripts on all connected Diagnostics Agents. On successful exploitation, the attacker can completely compromise confidentiality, integrity and availability of the system. | |||||
| CVE-2023-33985 | 1 Sap | 1 Netweaver | 2023-12-10 | N/A | 6.1 MEDIUM |
| SAP NetWeaver Enterprise Portal - version 7.50, does not sufficiently encode user-controlled inputs over the network, resulting in reflected Cross-Site Scripting (XSS) vulnerability, therefore changing the scope of the attack. On successful exploitation, an attacker can view or modify information causing a limited impact on confidentiality and integrity of the application. | |||||
| CVE-2023-31406 | 1 Sap | 1 Businessobjects Business Intelligence | 2023-12-10 | N/A | 6.1 MEDIUM |
| Due to insufficient input validation, SAP BusinessObjects Business Intelligence Platform - versions 420, 430, allows an unauthenticated attacker to redirect users to untrusted site using a malicious link. On successful exploitation, an attacker can view or modify information causing a limited impact on confidentiality and integrity of the application. | |||||
| CVE-2022-41261 | 2 Microsoft, Sap | 2 Windows, Solution Manager | 2023-12-10 | N/A | 5.5 MEDIUM |
| SAP Solution Manager (Diagnostic Agent) - version 7.20, allows an authenticated attacker on Windows system to access a file containing sensitive data which can be used to access a configuration file which contains credentials to access other system files. Successful exploitation can make the attacker access files and systems for which he/she is not authorized. | |||||
| CVE-2023-26457 | 1 Sap | 1 Content Server | 2023-12-10 | N/A | 6.1 MEDIUM |
| SAP Content Server - version 7.53, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. After successful exploitation, an attacker can read and modify some sensitive information but cannot delete the data. | |||||
| CVE-2022-41268 | 1 Sap | 1 Business Planning And Consolidation | 2023-12-10 | N/A | 7.5 HIGH |
| In some SAP standard roles in SAP Business Planning and Consolidation - versions - SAP_BW 750, 751, 752, 753, 754, 755, 756, 757, DWCORE 200, 300, CPMBPC 810, a transaction code reserved for the customer is used. By implementing such transaction code, a malicious user may execute unauthorized transaction functionality. Under specific circumstances, a successful attack could enable an adversary to escalate their privileges to be able to read, change or delete system data. | |||||
| CVE-2023-23852 | 1 Sap | 1 Solution Manager | 2023-12-10 | N/A | 6.1 MEDIUM |
| SAP Solution Manager (System Monitoring) - version 720, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2023-25614 | 1 Sap | 1 Netweaver Application Server Abap | 2023-12-10 | N/A | 6.1 MEDIUM |
| SAP NetWeaver AS ABAP (BSP Framework) application - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, allow an unauthenticated attacker to inject the code that can be executed by the application over the network. On successful exploitation it can gain access to the sensitive information which leads to a limited impact on the confidentiality and the integrity of the application. | |||||
| CVE-2023-0012 | 2 Microsoft, Sap | 2 Windows, Host Agent | 2023-12-10 | N/A | 6.7 MEDIUM |
| In SAP Host Agent (Windows) - versions 7.21, 7.22, an attacker who gains local membership to SAP_LocalAdmin could be able to replace executables with a malicious file that will be started under a privileged account. Note that by default all user members of SAP_LocaAdmin are denied the ability to logon locally by security policy so that this can only occur if the system has already been compromised. | |||||
| CVE-2023-23853 | 1 Sap | 1 Netweaver Application Server Abap | 2023-12-10 | N/A | 6.1 MEDIUM |
| An unauthenticated attacker in AP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790, can craft a link which when clicked by an unsuspecting user can be used to redirect a user to a malicious site which could read or modify some sensitive information or expose the victim to a phishing attack. Vulnerability has no direct impact on availability. | |||||
| CVE-2022-41274 | 1 Sap | 1 Disclosure Management | 2023-12-10 | N/A | 6.5 MEDIUM |
| SAP Disclosure Management - version 10.1, allows an authenticated attacker to exploit certain misconfigured application endpoints to read sensitive data. These endpoints are normally exposed over the network and successful exploitation can lead to the exposure of data like financial reports. | |||||
| CVE-2022-41275 | 1 Sap | 1 Solution Manager | 2023-12-10 | N/A | 6.1 MEDIUM |
| In SAP Solution Manager (Enterprise Search) - versions 740, and 750, an unauthenticated attacker can generate a link that, if clicked by a logged-in user, can be redirected to a malicious page that could read or modify sensitive information, or expose the user to a phishing attack, with little impact on confidentiality and integrity. | |||||
| CVE-2023-0023 | 1 Sap | 1 Bank Account Management | 2023-12-10 | N/A | 5.7 MEDIUM |
| In SAP Bank Account Management (Manage Banks) application, when a user clicks a smart link to navigate to another app, personal data is shown directly in the URL. They might get captured in log files, bookmarks, and so on disclosing sensitive data of the application. | |||||
| CVE-2022-41263 | 1 Sap | 1 Business Objects Business Intelligence Platform | 2023-12-10 | N/A | 4.3 MEDIUM |
| Due to a missing authentication check, SAP Business Objects Business Intelligence Platform (Web Intelligence) - versions 420, 430, allows an authenticated non-administrator attacker to modify the data source information for a document that is otherwise restricted. On successful exploitation, the attacker can modify information causing a limited impact on the integrity of the application. | |||||
| CVE-2023-27893 | 1 Sap | 1 Solution Manager | 2023-12-10 | N/A | 8.8 HIGH |
| An attacker authenticated as a user with a non-administrative role and a common remote execution authorization in SAP Solution Manager and ABAP managed systems (ST-PI) - versions 2088_1_700, 2008_1_710, 740, can use a vulnerable interface to execute an application function to perform actions which they would not normally be permitted to perform. Depending on the function executed, the attack can read or modify any user or application data and can make the application unavailable. | |||||
| CVE-2022-41264 | 1 Sap | 1 Basis | 2023-12-10 | N/A | 8.8 HIGH |
| Due to the unrestricted scope of the RFC function module, SAP BASIS - versions 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790, 791, allows an authenticated non-administrator attacker to access a system class and execute any of its public methods with parameters provided by the attacker. On successful exploitation the attacker can have full control of the system to which the class belongs, causing a high impact on the integrity of the application. | |||||
| CVE-2023-24528 | 1 Sap | 1 Fiori | 2023-12-10 | N/A | 6.5 MEDIUM |
| SAP Fiori apps for Travel Management in SAP ERP (My Travel Requests) - version 600, allows an authenticated attacker to exploit a certain misconfigured application endpoint to view sensitive data. This endpoint is normally exposed over the network and successful exploitation can lead to exposure of data like travel documents. | |||||
| CVE-2023-24530 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2023-12-10 | N/A | 9.1 CRITICAL |
| SAP BusinessObjects Business Intelligence Platform (CMC) - versions 420, 430, allows an authenticated admin user to upload malicious code that can be executed by the application over the network. On successful exploitation, attacker can perform operations that may completely compromise the application causing high impact on confidentiality, integrity and availability of the application. | |||||
| CVE-2023-27894 | 1 Sap | 1 Businessobjects Business Intelligence | 2023-12-10 | N/A | 5.3 MEDIUM |
| SAP BusinessObjects Business Intelligence Platform (Web Services) - versions 420, 430, allows an attacker to inject arbitrary values as CMS parameters to perform lookups on the internal network which is otherwise not accessible externally. On successful exploitation, attacker can scan internal network to determine internal infrastructure for further attacks like remote file inclusion, retrieve server files, bypass firewall and force the vulnerable server to execute malicious requests, resulting in sensitive information disclosure. This causes limited impact on confidentiality of data. | |||||