Filtered by vendor Sap
Subscribe
Total
1487 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-16679 | 1 Sap | 1 Sap Kernel | 2025-04-20 | 5.8 MEDIUM | 6.1 MEDIUM |
| URL redirection vulnerability in SAP's Startup Service, SAP KERNEL 32 NUC, SAP KERNEL 32 Unicode, SAP KERNEL 64 NUC, SAP KERNEL 64 Unicode 7.21, 7.21EXT, 7.22 and 7.22EXT; SAP KERNEL 7.21, 7.22, 7.45, 7.49 and 7.52, that allows an attacker to redirect users to a malicious site. | |||||
| CVE-2017-15296 | 1 Sap | 1 Customer Relationship Management | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| The Java component in SAP CRM has CSRF. This is SAP Security Note 2478964. | |||||
| CVE-2017-7696 | 1 Sap | 1 Sso Authentication Library | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| SAP AS JAVA SSO Authentication Library 2.0 through 3.0 allow remote attackers to cause a denial of service (memory consumption) via large values in the width and height parameters to otp_logon_ui_resources/qr, aka SAP Security Note 2389042. | |||||
| CVE-2017-6061 | 1 Sap | 1 Businessobjects Financial Consolidation | 2025-04-20 | 4.3 MEDIUM | 4.7 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the help component of SAP BusinessObjects Financial Consolidation 10.0.0.1933 allows remote attackers to inject arbitrary web script or HTML via a GET request. /finance/help/en/frameset.htm is the URI for this component. The vendor response is SAP Security Note 2368106. | |||||
| CVE-2017-5372 | 1 Sap | 1 Netweaver | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| The function msp (aka MSPRuntimeInterface) in the P4 SERVERCORE component in SAP AS JAVA allows remote attackers to obtain sensitive system information by leveraging a missing authorization check for the (1) getInformation, (2) getParameters, (3) getServiceInfo, (4) getStatistic, or (5) getClientStatistic function, aka SAP Security Note 2331908. | |||||
| CVE-2016-6143 | 1 Sap | 1 Hana | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| SAP HANA DB 1.00.73.00.389160 allows remote attackers to execute arbitrary code via vectors involving the audit logs, aka SAP Security Note 2170806. | |||||
| CVE-2014-8871 | 1 Sap | 1 Hybris | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| Directory traversal vulnerability in hybris Commerce software suite 5.0.3.3 and earlier, 5.0.0.3 and earlier, 5.0.4.4 and earlier, 5.1.0.1 and earlier, 5.1.1.2 and earlier, 5.2.0.3 and earlier, and 5.3.0.1 and earlier. | |||||
| CVE-2015-7241 | 1 Sap | 1 Netweaver | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| XML External Entity (XXE) vulnerability in SAP Netweaver before 7.01. | |||||
| CVE-2017-11457 | 1 Sap | 1 Netweaver Application Server Java | 2025-04-20 | 4.0 MEDIUM | 6.5 MEDIUM |
| XML external entity (XXE) vulnerability in com.sap.km.cm.ice in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request, aka SAP Security Note 2387249. | |||||
| CVE-2017-14581 | 1 Sap | 1 Netweaver Application Server Java | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| The Host Control web service in SAP NetWeaver AS JAVA 7.0 through 7.5 allows remote attackers to cause a denial of service (service crash) via a crafted request, aka SAP Security Note 2389181. | |||||
| CVE-2016-6256 | 1 Sap | 1 Business One | 2025-04-20 | 6.8 MEDIUM | 9.6 CRITICAL |
| SAP Business One for Android 1.2.3 allows remote attackers to conduct XML External Entity (XXE) attacks via crafted XML data in a request to B1iXcellerator/exec/soap/vP.001sap0003.in_WCSX/com.sap.b1i.vplatform.runtime/INB_WS_CALL_SYNC_XPT/INB_WS_CALL_SYNC_XPT.ipo/proc, aka SAP Security Note 2378065. | |||||
| CVE-2017-15297 | 1 Sap | 1 Host Agent | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| SAP Hostcontrol does not require authentication for the SOAP SAPControl endpoint. This is SAP Security Note 2442993. | |||||
| CVE-2017-8852 | 1 Sap | 1 Sapcar | 2025-04-20 | 6.8 MEDIUM | 7.8 HIGH |
| SAP SAPCAR 721.510 has a Heap Based Buffer Overflow Vulnerability. It could be exploited with a crafted CAR archive file received from an untrusted remote source. The problem is that the length of data written is an arbitrary number found within the file. The vendor response is SAP Security Note 2441560. | |||||
| CVE-2016-10310 | 1 Sap | 1 Sql Anywhere | 2025-04-20 | 4.0 MEDIUM | 4.9 MEDIUM |
| Buffer overflow in the MobiLink Synchronization Server component in SAP SQL Anywhere 17 and possibly earlier allows remote authenticated users to cause a denial of service (resource consumption and process crash) by sending a crafted packet several times, aka SAP Security Note 2308778. | |||||
| CVE-2017-15295 | 1 Sap | 1 Point Of Sale Xpress Server | 2025-04-20 | 10.0 HIGH | 9.8 CRITICAL |
| Xpress Server in SAP POS does not require authentication for read/write/delete file access. This is SAP Security Note 2520064. | |||||
| CVE-2017-9613 | 1 Sap | 1 Successfactors | 2025-04-20 | 3.5 LOW | 5.4 MEDIUM |
| Stored Cross-site scripting (XSS) vulnerability in SAP SuccessFactors before b1705.1234962 allows remote authenticated users to inject arbitrary web script or HTML via the file upload functionality. | |||||
| CVE-2017-16687 | 1 Sap | 1 Hana Database | 2025-04-20 | 5.0 MEDIUM | 5.3 MEDIUM |
| The user self-service tools of SAP HANA extended application services, classic user self-service, a part of SAP HANA Database versions 1.00 and 2.00, can be misused to enumerate valid and invalid user accounts. An unauthenticated user could use the error messages to determine if a given username is valid. | |||||
| CVE-2017-16682 | 1 Sap | 2 Business Application Software Integrated Solution, Netweaver Internet Transaction Server | 2025-04-20 | 6.5 MEDIUM | 7.2 HIGH |
| SAP NetWeaver Internet Transaction Server (ITS), SAP Basis from 7.00 to 7.02, 7.30, 7.31, 7.40, from 7.50 to 7.52, allows an attacker with administrator credentials to inject code that can be executed by the application and thereby control the behavior of the application. | |||||
| CVE-2017-14516 | 1 Sap | 1 Businessobjects Financial Consolidation | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-Site Scripting (XSS) exists in SAP Business Objects Financial Consolidation before 2017-06-13, aka SAP Security Note 2422292. | |||||
| CVE-2017-16691 | 1 Sap | 1 Business Application Software Integrated Solution | 2025-04-20 | 5.8 MEDIUM | 6.5 MEDIUM |
| SAP Note Assistant tool (SAP BASIS from 7.00 to 7.02, from 7.10 to 7.11, 7.30, 7.31,7.40, from 7.50 to 7.52) supports upload of digitally signed note file of type 'SAR'. The digital signature verification is done together with the extraction of note file contained in the SAR archive. It is possible to append a tampered file to the SAR archive using SAPCAR tool and during the extraction, digital signature verification fails but the tampered file is extracted. | |||||