Filtered by vendor Sap
Subscribe
Total
1487 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-30744 | 1 Sap | 1 Netweaver Application Server For Java | 2024-11-21 | N/A | 8.2 HIGH |
| In SAP AS NetWeaver JAVA - versions SERVERCORE 7.50, J2EE-FRMW 7.50, CORE-TOOLS 7.50, an unauthenticated attacker can attach to an open interface and make use of an open naming and directory API to instantiate an object which has methods which can be called without further authorization and authentication. A subsequent call to one of these methods can read or change the state of existing services without any effect on availability. | |||||
| CVE-2023-30743 | 1 Sap | 1 Sapui5 | 2024-11-21 | N/A | 7.1 HIGH |
| Due to improper neutralization of input in SAPUI5 - versions SAP_UI 750, SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, UI_700 200, sap.m.FormattedText SAPUI5 control allows injection of untrusted CSS. This blocks user’s interaction with the application. Further, in the absence of URL validation by the application, the vulnerability could lead to the attacker reading or modifying user’s information through phishing attack. | |||||
| CVE-2023-30742 | 1 Sap | 2 Customer Relationship Management S4fnd, Customer Relationship Management Webclient Ui | 2024-11-21 | N/A | 6.1 MEDIUM |
| SAP CRM (WebClient UI) - versions S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, S4FND 107, WEBCUIF 700, WEBCUIF 701, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800, WEBCUIF 801, does not sufficiently encode user-controlled inputs, resulting in a stored Cross-Site Scripting (XSS) vulnerability.An attacker could store a malicious URL and lure the victim to click, causing the script supplied by the attacker to execute in the victim user's session. The information from the victim's session could then be modified or read by the attacker. | |||||
| CVE-2023-30741 | 1 Sap | 1 Businessobjects Business Intelligence | 2024-11-21 | N/A | 6.1 MEDIUM |
| Due to insufficient input validation, SAP BusinessObjects Business Intelligence Platform - versions 420, 430, allows an unauthenticated attacker to redirect users to untrusted site using a malicious link. On successful exploitation, an attacker can view or modify information causing a limited impact on confidentiality and integrity of the application. | |||||
| CVE-2023-30740 | 1 Sap | 1 Businessobjects Business Intelligence | 2024-11-21 | N/A | 6.3 MEDIUM |
| SAP BusinessObjects Business Intelligence Platform - versions 420, 430, allows an authenticated attacker to access sensitive information which is otherwise restricted. On successful exploitation, there could be a high impact on confidentiality, limited impact on integrity and availability of the application. | |||||
| CVE-2023-2827 | 1 Sap | 2 Digital Manufacturing, Plant Connectivity | 2024-11-21 | N/A | 7.9 HIGH |
| SAP Plant Connectivity - version 15.5 (PCo) or the Production Connector for SAP Digital Manufacturing - version 1.0, do not validate the signature of the JSON Web Token (JWT) in the HTTP request sent from SAP Digital Manufacturing. Therefore, unauthorized callers from the internal network could send service requests to PCo or the Production Connector, which could have an impact on the integrity of the integration with SAP Digital Manufacturing. | |||||
| CVE-2023-29189 | 1 Sap | 2 Customer Relationship Management S4fnd, Customer Relationship Management Webclient Ui | 2024-11-21 | N/A | 5.4 MEDIUM |
| SAP CRM (WebClient UI) - versions S4FND 102, 103, 104, 105, 106, 107, WEBCUIF, 700, 701, 731, 730, 746, 747, 748, 800, 801, allows an authenticated attacker to modify HTTP verbs used in requests to the web server. This application is exposed over the network and successful exploitation can lead to exposure of form fields | |||||
| CVE-2023-29188 | 1 Sap | 3 Customer Relationship Management Webclient Ui, S4fnd, Sapscore | 2024-11-21 | N/A | 5.4 MEDIUM |
| SAP CRM WebClient UI - versions SAPSCORE 129, S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, S4FND 107, WEBCUIF 701, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800, WEBCUIF 801, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. After successful exploitation, an attacker with user level access can read and modify some sensitive information but cannot delete the data. | |||||
| CVE-2023-29187 | 1 Sap | 1 Sapsetup | 2024-11-21 | N/A | 6.7 MEDIUM |
| A Windows user with basic user authorization can exploit a DLL hijacking attack in SapSetup (Software Installation Program) - version 9.0, resulting in a privilege escalation running code as administrator of the very same Windows PC. A successful attack depends on various preconditions beyond the attackers control. | |||||
| CVE-2023-29186 | 1 Sap | 1 Netweaver | 2024-11-21 | N/A | 8.7 HIGH |
| In SAP NetWeaver (BI CONT ADDON) - versions 707, 737, 747, 757, an attacker can exploit a directory traversal flaw in a report to upload and overwrite files on the SAP server. Data cannot be read but if a remote attacker has sufficient (administrative) privileges then potentially critical OS files can be overwritten making the system unavailable. | |||||
| CVE-2023-29185 | 1 Sap | 1 Netweaver As Abap Business Server Pages | 2024-11-21 | N/A | 5.3 MEDIUM |
| SAP NetWeaver AS for ABAP (Business Server Pages) - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, allows an attacker authenticated as a non-administrative user to craft a request with certain parameters in certain circumstances which can consume the server's resources sufficiently to make it unavailable over the network without any user interaction. | |||||
| CVE-2023-29112 | 1 Sap | 1 Application Interface | 2024-11-21 | N/A | 3.7 LOW |
| The SAP Application Interface (Message Monitoring) - versions 600, 700, allows an authorized attacker to input links or headings with custom CSS classes into a comment. The comment will render links and custom CSS classes as HTML objects. After successful exploitations, an attacker can cause limited impact on the confidentiality and integrity of the application. | |||||
| CVE-2023-29111 | 1 Sap | 1 Application Interface Framework | 2024-11-21 | N/A | 3.1 LOW |
| The SAP AIF (ODATA service) - versions 755, 756, discloses more detailed information than is required. An authorized attacker can use the collected information possibly to exploit the component. As a result, an attacker can cause a low impact on the confidentiality of the application. | |||||
| CVE-2023-29110 | 1 Sap | 4 Abap Platform, Application Interface Framework, Basis and 1 more | 2024-11-21 | N/A | 3.7 LOW |
| The SAP Application Interface (Message Dashboard) - versions AIF 703, AIFX 702, S4CORE 100, 101, SAP_BASIS 755, 756, SAP_ABA 75C, 75D, 75E, application allows the usage HTML tags. An authorized attacker can use some of the basic HTML codes such as heading, basic formatting and lists, then an attacker can inject images from the foreign domains. After successful exploitations, an attacker can cause limited impact on the confidentiality and integrity of the application. | |||||
| CVE-2023-29109 | 1 Sap | 4 Abap Platform, Application Interface Framework, Basis and 1 more | 2024-11-21 | N/A | 4.4 MEDIUM |
| The SAP Application Interface Framework (Message Dashboard) - versions AIF 703, AIFX 702, S4CORE 101, SAP_BASIS 755, 756, SAP_ABA 75C, 75D, 75E, application allows an Excel formula injection. An authorized attacker can inject arbitrary Excel formulas into fields like the Tooltip of the Custom Hints List. Once the victim opens the downloaded Excel document, the formula will be executed. As a result, an attacker can cause limited impact on the confidentiality and integrity of the application. | |||||
| CVE-2023-29108 | 1 Sap | 2 Abap Platform Kernel, Web Dispatcher | 2024-11-21 | N/A | 5.0 MEDIUM |
| The IP filter in ABAP Platform and SAP Web Dispatcher - versions WEBDISP 7.85, 7.89, KERNEL 7.85, 7.89, 7.91, may be vulnerable by erroneous IP netmask handling. This may enable access to backend applications from unwanted sources. | |||||
| CVE-2023-28765 | 1 Sap | 1 Businessobjects Business Intelligence | 2024-11-21 | N/A | 9.8 CRITICAL |
| An attacker with basic privileges in SAP BusinessObjects Business Intelligence Platform (Promotion Management) - versions 420, 430, can get access to lcmbiar file and further decrypt the file. After this attacker can gain access to BI user’s passwords and depending on the privileges of the BI user, the attacker can perform operations that can completely compromise the application. | |||||
| CVE-2023-28764 | 1 Sap | 1 Businessobjects | 2024-11-21 | N/A | 3.7 LOW |
| SAP BusinessObjects Platform - versions 420, 430, Information design tool transmits sensitive information as cleartext in the binaries over the network. This could allow an unauthenticated attacker with deep knowledge to gain sensitive information such as user credentials and domain names, which may have a low impact on confidentiality and no impact on the integrity and availability of the system. | |||||
| CVE-2023-28763 | 1 Sap | 1 Netweaver Application Server Abap | 2024-11-21 | N/A | 6.5 MEDIUM |
| SAP NetWeaver AS for ABAP and ABAP Platform - versions 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, allows an attacker authenticated as a non-administrative user to craft a request with certain parameters which can consume the server's resources sufficiently to make it unavailable over the network without any user interaction. | |||||
| CVE-2023-28762 | 1 Sap | 1 Businessobjects Business Intelligence | 2024-11-21 | N/A | 9.1 CRITICAL |
| SAP BusinessObjects Business Intelligence Platform - versions 420, 430, allows an authenticated attacker with administrator privileges to get the login token of any logged-in BI user over the network without any user interaction. The attacker can impersonate any user on the platform resulting into accessing and modifying data. The attacker can also make the system partially or entirely unavailable. | |||||