Filtered by vendor Sap
Subscribe
Total
1452 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-2505 | 1 Sap | 1 Hybris | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP Commerce does not sufficiently validate user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability in storefronts that are based on the product. Fixed in versions (SAP Hybris Commerce, versions 6.2, 6.3, 6.4, 6.5, 6.6, 6.7). | |||||
| CVE-2018-2442 | 1 Sap | 2 Businessobjects Business Intelligence, Internet Graphics Server | 2024-02-04 | 6.8 MEDIUM | 8.8 HIGH |
| In SAP BusinessObjects Business Intelligence, versions 4.0, 4.1 and 4.2, while viewing a Web Intelligence report from BI Launchpad, the user session details captured by an HTTP analysis tool could be reused in a HTML page while the user session is still valid. | |||||
| CVE-2018-2464 | 1 Sap | 1 Netweaver | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP WebDynpro Java, versions 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs, resulting in a stored Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2019-0238 | 1 Sap | 1 Hybris | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP Commerce (previously known as SAP Hybris Commerce), before version 6.7, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2019-0244 | 1 Sap | 3 Customer Relationship Management Webclient Ui, S4fnd, Sapscore | 2024-02-04 | 3.5 LOW | 5.4 MEDIUM |
| SAP CRM WebClient UI (fixed in SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2018-2470 | 1 Sap | 1 Netweaver | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| In SAP NetWeaver Application Server for ABAP, from 7.0 to 7.02, 7.30, 7.31, 7.40 and from 7.50 to 7.53, applications do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2018-2484 | 1 Sap | 4 Bank\/cfm, Ea-finserv, S4core and 1 more | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
| SAP Enterprise Financial Services (fixed in SAPSCORE 1.13, 1.14, 1.15; S4CORE 1.01, 1.02, 1.03; EA-FINSERV 1.10, 2.0, 5.0, 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0; Bank/CFM 4.63_20) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. | |||||
| CVE-2018-2446 | 1 Sap | 1 Businessobjects Business Intelligence | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| Admin tools in SAP BusinessObjects Business Intelligence, versions 4.1, 4.2, allow an unauthenticated user to read sensitive information (server name), hence leading to an information disclosure. | |||||
| CVE-2018-2504 | 1 Sap | 1 Netweaver Application Server Java | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP NetWeaver AS Java Web Container service does not validate against whitelist the HTTP host header which can result in HTTP Host Header Manipulation or Cross-Site Scripting (XSS) vulnerability. This is fixed in versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50. | |||||
| CVE-2018-2465 | 1 Sap | 1 Hana | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| SAP HANA (versions 1.0 and 2.0) Extended Application Services classic model OData parser does not sufficiently validate XML. By exploiting, an unauthorized hacker can cause the database server to crash. | |||||
| CVE-2018-2490 | 1 Sap | 1 Fiori Client | 2024-02-04 | 6.8 MEDIUM | 7.8 HIGH |
| The broadcast messages received by SAP Fiori Client are not protected by permissions. SAP Fiori Client version 1.11.5 in Google Play store addresses these issues and users must update to that version. | |||||
| CVE-2019-0258 | 1 Sap | 1 Disclosure Management | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
| SAP Disclosure Management, version 10.01, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. | |||||
| CVE-2019-0255 | 1 Sap | 3 Advanced Business Application Programming Platform Kernel, Advanced Business Application Programming Platform Krnl64nuc, Advanced Business Application Programming Platform Krnl64uc | 2024-02-04 | 5.5 MEDIUM | 8.1 HIGH |
| SAP NetWeaver AS ABAP Platform, Krnl64nuc 7.74, krnl64UC 7.73, 7.74, Kernel 7.73, 7.74, 7.75, fails to validate type of installation for an ABAP Server system correctly. That behavior may lead to situation, where business user achieves access to the full SAP Menu, that is 'Easy Access Menu'. The situation can be misused by any user to leverage privileges to business functionality. | |||||
| CVE-2018-2486 | 1 Sap | 2 Marketing Sapscore, Marketing Uicuan | 2024-02-04 | 3.5 LOW | 5.4 MEDIUM |
| SAP Marketing (UICUAN (1.20, 1.30, 1.40), SAPSCORE (1.13, 1.14)) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2018-2455 | 1 Sap | 1 Enterprise Financial Services | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
| SAP Enterprise Financial Services, versions 6.05, 6.06, 6.16, 6.17, 6.18, 8.0 (in business function EAFS_BCA_BUSOPR_SEPA) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. | |||||
| CVE-2018-2459 | 1 Sap | 1 Mobile Platform | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| Users of an SAP Mobile Platform (version 3.0) Offline OData application, which uses Offline OData-supplied delta tokens (which is on by default), occasionally receive some data values of a different user. | |||||
| CVE-2018-2500 | 1 Sap | 1 Mobile Secure | 2024-02-04 | 1.9 LOW | 4.7 MEDIUM |
| Under certain conditions SAP Mobile Secure Android client (before version 6.60.19942.0 SP28 1711) allows an attacker to access information which would otherwise be restricted. | |||||
| CVE-2018-2461 | 1 Sap | 1 People Profile | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
| Missing authorization check in SAP HCM Fiori "People Profile" (GBX01 HR version 6.0) for an authenticated user which may result in an escalation of privileges. | |||||
| CVE-2019-0251 | 1 Sap | 1 Businessobjects | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Fiori Launchpad of SAP BusinessObjects, before versions 4.2 and 4.3, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2018-2467 | 1 Sap | 1 Businessobjects Bi Platform | 2024-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
| In the Software Development Kit in SAP BusinessObjects BI Platform Servers, versions 4.1 and 4.2, using the specially crafted URL in a Web Browser such as Chrome the system returns an error with the path of the used application server. | |||||