Filtered by vendor Sap
Subscriptions
Total
1500 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2016-3976 | 1 Sap | 1 Netweaver Application Server Java | 2025-03-07 | 7.5 High |
| Directory traversal vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 allows remote attackers to read arbitrary files via a ..\ (dot dot backslash) in the fileName parameter to CrashFileDownloadServlet, aka SAP Security Note 2234971. | ||||
| CVE-2023-39439 | 1 Sap | 2 Commerce Cloud, Commerce Hycom | 2025-02-27 | 8.8 High |
| SAP Commerce Cloud may accept an empty passphrase for user ID and passphrase authentication, allowing users to log into the system without a passphrase. | ||||
| CVE-2023-42473 | 1 Sap | 1 S\/4hana | 2025-02-27 | 5.4 Medium |
| S/4HANA Manage (Withholding Tax Items) - version 106, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges which has low impact on the confidentiality and integrity of the application. | ||||
| CVE-2023-0021 | 1 Sap | 1 Netweaver | 2025-02-27 | 6.1 Medium |
| Due to insufficient encoding of user input, SAP NetWeaver - versions 700, 701, 702, 731, 740, 750, allows an unauthenticated attacker to inject code that may expose sensitive data like user ID and password, which could lead to reflected Cross-Site scripting. These endpoints are normally exposed over the network and successful exploitation can partially impact confidentiality of the application. | ||||
| CVE-2023-23857 | 1 Sap | 1 Netweaver Application Server For Java | 2025-02-27 | 9.9 Critical |
| Due to missing authentication check, SAP NetWeaver AS for Java - version 7.50, allows an unauthenticated attacker to attach to an open interface and make use of an open naming and directory API to access services which can be used to perform unauthorized operations affecting users and services across systems. On a successful exploitation, the attacker can read and modify some sensitive information but can also be used to lock up any element or operation of the system making that it unresponsive or unavailable. | ||||
| CVE-2023-24526 | 1 Sap | 1 Netweaver Application Server Java | 2025-02-27 | 5.3 Medium |
| SAP NetWeaver Application Server Java for Classload Service - version 7.50, does not perform any authentication checks for functionalities that require user identity, resulting in escalation of privileges. This failure has a low impact on confidentiality of the data such that an unassigned user can read non-sensitive server data. | ||||
| CVE-2023-25615 | 1 Sap | 1 Abap Platform | 2025-02-27 | 6.8 Medium |
| Due to insufficient input sanitization, SAP ABAP - versions 751, 753, 753, 754, 756, 757, 791, allows an authenticated high privileged user to alter the current session of the user by injecting the malicious database queries over the network and gain access to the unintended data. This may lead to a high impact on the confidentiality and no impact on the availability and integrity of the application. | ||||
| CVE-2023-25616 | 1 Sap | 1 Business Objects Business Intelligence Platform | 2025-02-27 | 9.9 Critical |
| In some scenario, SAP Business Objects Business Intelligence Platform (CMC) - versions 420, 430, Program Object execution can lead to code injection vulnerability which could allow an attacker to gain access to resources that are allowed by extra privileges. Successful attack could highly impact the confidentiality, Integrity, and Availability of the system. | ||||
| CVE-2023-25617 | 1 Sap | 1 Business Objects Business Intelligence Platform | 2025-02-27 | 9 Critical |
| SAP Business Object (Adaptive Job Server) - versions 420, 430, allows remote execution of arbitrary commands on Unix, when program objects execution is enabled, to authenticated users with scheduling rights, using the BI Launchpad, Central Management Console or a custom application based on the public java SDK. Programs could impact the confidentiality, integrity and availability of the system. | ||||
| CVE-2023-26459 | 1 Sap | 1 Netweaver Application Server Abap | 2025-02-27 | 7.4 High |
| Due to improper input controls In SAP NetWeaver AS for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, an attacker authenticated as a non-administrative user can craft a request which will trigger the application server to send a request to an arbitrary URL which can reveal, modify or make unavailable non-sensitive information, leading to low impact on Confidentiality, Integrity and Availability. | ||||
| CVE-2023-27271 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2025-02-27 | 6.5 Medium |
| In SAP BusinessObjects Business Intelligence Platform (Web Services) - versions 420, 430, an attacker can control a malicious BOE server, forcing the application server to connect to its own admintools, leading to a high impact on availability. | ||||
| CVE-2023-27896 | 1 Sap | 1 Businessobjects Business Intelligence | 2025-02-27 | 6.5 Medium |
| In SAP BusinessObjects Business Intelligence Platform - version 420, 430, an attacker can control a malicious BOE server, forcing the application server to connect to its own CMS, leading to a high impact on availability. | ||||
| CVE-2023-27894 | 1 Sap | 1 Businessobjects Business Intelligence | 2025-02-27 | 5 Medium |
| SAP BusinessObjects Business Intelligence Platform (Web Services) - versions 420, 430, allows an attacker to inject arbitrary values as CMS parameters to perform lookups on the internal network which is otherwise not accessible externally. On successful exploitation, attacker can scan internal network to determine internal infrastructure for further attacks like remote file inclusion, retrieve server files, bypass firewall and force the vulnerable server to execute malicious requests, resulting in sensitive information disclosure. This causes limited impact on confidentiality of data. | ||||
| CVE-2023-27498 | 1 Sap | 1 Host Agent | 2025-02-27 | 7.2 High |
| SAP Host Agent (SAPOSCOL) - version 7.22, allows an unauthenticated attacker with network access to a server port assigned to the SAP Start Service to submit a crafted request which results in a memory corruption error. This error can be used to reveal but not modify any technical information about the server. It can also make a particular service temporarily unavailable | ||||
| CVE-2023-27501 | 1 Sap | 1 Netweaver Application Server Abap | 2025-02-27 | 8.7 High |
| SAP NetWeaver AS for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, allows an attacker to exploit insufficient validation of path information provided by users, thus exploiting a directory traversal flaw in an available service to delete system files. In this attack, no data can be read but potentially critical OS files can be deleted making the system unavailable, causing significant impact on both availability and integrity | ||||
| CVE-2023-27893 | 1 Sap | 1 Solution Manager | 2025-02-27 | 8.8 High |
| An attacker authenticated as a user with a non-administrative role and a common remote execution authorization in SAP Solution Manager and ABAP managed systems (ST-PI) - versions 2088_1_700, 2008_1_710, 740, can use a vulnerable interface to execute an application function to perform actions which they would not normally be permitted to perform. Depending on the function executed, the attack can read or modify any user or application data and can make the application unavailable. | ||||
| CVE-2023-27895 | 1 Sap | 1 Authenticator | 2025-02-27 | 6.1 Medium |
| SAP Authenticator for Android - version 1.3.0, allows the screen to be captured, if an authorized attacker installs a malicious app on the mobile device. The attacker could extract the currently views of the OTP and the secret OTP alphanumeric token during the token setup. On successful exploitation, an attacker can read some sensitive information but cannot modify and delete the data. | ||||
| CVE-2023-25618 | 1 Sap | 1 Netweaver Application Server Abap | 2025-02-27 | 6.5 Medium |
| SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, has multiple vulnerabilities in an unused class for error handling in which an attacker authenticated as a non-administrative user can craft a request with certain parameters which will consume the server's resources sufficiently to make it unavailable. There is no ability to view or modify any information. | ||||
| CVE-2023-26457 | 1 Sap | 1 Content Server | 2025-02-27 | 6.1 Medium |
| SAP Content Server - version 7.53, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. After successful exploitation, an attacker can read and modify some sensitive information but cannot delete the data. | ||||
| CVE-2023-26460 | 1 Sap | 1 Netweaver Application Server For Java | 2025-02-27 | 5.3 Medium |
| Cache Management Service in SAP NetWeaver Application Server for Java - version 7.50, does not perform any authentication checks for functionalities that require user identity | ||||